656399e157ed4116fd056b5e4889c25773d62c4862ccdf9646a3c27884d01576

General

Target

Shell.exe
Size

300.0MB
MD5

ee792a047fb2febbdadee7d476c96fc8
SHA1

ae71082d2321633e466489d37f29bfcec0913c8f
SHA256

d7d98d8f0c584f85bf88ba9d1b309cd92bdc35f2786decf7ee8adae1d5904f61
SHA512

6be6d06d64b949332f53f6411fd865a1c2832f57fdcce47e2afe1f8c78fa20fc248d3c950ee976a42969c590087fc64d7c2ebcc1d644eb40bc8948a7efcc6f28
SSDEEP

49152:WCbXXLwkHUqmLMe6TOh3ElWQKBUDwIx2Sfr5jIiMjt2:WmrwkH2Me6KmWQKBddSH

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

Shell.exe

pid process

1532 Shell.exe

pid	process
1532	Shell.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2176-8-0x0000000000700000-0x0000000000AE4000-memory.dmp	upx
behavioral2/memory/2176-10-0x0000000000700000-0x0000000000AE4000-memory.dmp	upx
behavioral2/memory/2176-9-0x0000000000700000-0x0000000000AE4000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

Processes:

Shell.exe

description pid process target process

PID 2748 set thread context of 2176 2748 Shell.exe RegAsm.exe
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1276 2176 WerFault.exe RegAsm.exe
396 2176 WerFault.exe RegAsm.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

3536 schtasks.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Shell.exeShell.exe

description pid process

Token: SeDebugPrivilege 2748 Shell.exe
Token: SeDebugPrivilege 1532 Shell.exe

description	pid	process	target process
PID 2748 set thread context of 2176	2748	Shell.exe	RegAsm.exe

pid	pid_target	process	target process
1276	2176	WerFault.exe	RegAsm.exe
396	2176	WerFault.exe	RegAsm.exe

pid	process
3536	schtasks.exe

description	pid	process
Token: SeDebugPrivilege	2748	Shell.exe
Token: SeDebugPrivilege	1532	Shell.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

Shell.execmd.exe

description	pid	process	target process
PID 2748 wrote to memory of 2176	2748	Shell.exe	RegAsm.exe
PID 2748 wrote to memory of 2176	2748	Shell.exe	RegAsm.exe
PID 2748 wrote to memory of 2176	2748	Shell.exe	RegAsm.exe
PID 2748 wrote to memory of 2176	2748	Shell.exe	RegAsm.exe
PID 2748 wrote to memory of 2176	2748	Shell.exe	RegAsm.exe
PID 2748 wrote to memory of 2176	2748	Shell.exe	RegAsm.exe
PID 2748 wrote to memory of 2176	2748	Shell.exe	RegAsm.exe
PID 2748 wrote to memory of 1664	2748	Shell.exe	cmd.exe
PID 2748 wrote to memory of 1664	2748	Shell.exe	cmd.exe
PID 2748 wrote to memory of 1664	2748	Shell.exe	cmd.exe
PID 2748 wrote to memory of 2384	2748	Shell.exe	cmd.exe
PID 2748 wrote to memory of 2384	2748	Shell.exe	cmd.exe
PID 2748 wrote to memory of 2384	2748	Shell.exe	cmd.exe
PID 1664 wrote to memory of 3536	1664	cmd.exe	schtasks.exe
PID 1664 wrote to memory of 3536	1664	cmd.exe	schtasks.exe
PID 1664 wrote to memory of 3536	1664	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\Shell.exe
"C:\Users\Admin\AppData\Local\Temp\Shell.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2748

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:2176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2176 -s 536
3⤵
- Program crash
PID:1276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2176 -s 540
3⤵
- Program crash
PID:396

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafnias" /tr "'C:\Users\Admin\AppData\Roaming\Shell\Shell.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1664

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafnias" /tr "'C:\Users\Admin\AppData\Roaming\Shell\Shell.exe'" /f
3⤵
- Creates scheduled task(s)
PID:3536

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\Shell.exe" "C:\Users\Admin\AppData\Roaming\Shell\Shell.exe"
2⤵
PID:2384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2176 -ip 2176
1⤵
PID:3924

C:\Users\Admin\AppData\Roaming\Shell\Shell.exe
C:\Users\Admin\AppData\Roaming\Shell\Shell.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2176 -ip 2176
1⤵
PID:2412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Shell\Shell.exe
Filesize
37KB

MD5
d65f4fe14878f56d1af913bef43077dc

SHA1
0872839c833263264e44ea508982acac58ec351d

SHA256
08872f6be6dfd9a6a6ead7a3c66ca3fb9392a6832c540922a586582ac844ef09

SHA512
3f8e0e4a192c181f673d00948f095c9ecb44569e6994943c68f3a84b9d34b34172a08c73a6e271184ce708e162d8987af0cbae26b3701859b86c2f1fd409cb9f

Download Submit
C:\Users\Admin\AppData\Roaming\Shell\Shell.exe
Filesize
85KB

MD5
7bfdb939aca80fee35d29c38a60687ba

SHA1
23ed4ff098f9ce0b50028f6a7a64eafee09e26a3

SHA256
3952fe15b52b2e2ce072e4a04a4927a7b0b4f03fa38b5664333c3ca4e0a020a1

SHA512
444ede01ee903a7026bb79a72fb8a474c89a631fd317c14e3d43a21e3970f1576df983d4e90a465eaf8a1db7b8f336e79729f41a3a2dd2346830bfb7b3ffa337

Download Submit
memory/1532-19-0x0000000005980000-0x0000000005990000-memory.dmp

Filesize
64KB

Download
memory/1532-18-0x0000000074D40000-0x00000000754F0000-memory.dmp

Filesize
7.7MB

Download
memory/1532-17-0x0000000005980000-0x0000000005990000-memory.dmp

Filesize
64KB

Download
memory/1532-15-0x0000000000F30000-0x00000000010F2000-memory.dmp

Filesize
1.8MB

Download
memory/1532-16-0x0000000074D40000-0x00000000754F0000-memory.dmp

Filesize
7.7MB

Download
memory/2176-8-0x0000000000700000-0x0000000000AE4000-memory.dmp

Filesize
3.9MB

Download
memory/2176-10-0x0000000000700000-0x0000000000AE4000-memory.dmp

Filesize
3.9MB

Download
memory/2176-9-0x0000000000700000-0x0000000000AE4000-memory.dmp

Filesize
3.9MB

Download
memory/2748-1-0x0000000000C00000-0x0000000000DC2000-memory.dmp

Filesize
1.8MB

Download
memory/2748-7-0x00000000051A0000-0x00000000051B0000-memory.dmp

Filesize
64KB

Download
memory/2748-6-0x0000000074D40000-0x00000000754F0000-memory.dmp

Filesize
7.7MB

Download
memory/2748-5-0x0000000005630000-0x000000000563A000-memory.dmp

Filesize
40KB

Download
memory/2748-4-0x00000000051A0000-0x00000000051B0000-memory.dmp

Filesize
64KB

Download
memory/2748-2-0x0000000005790000-0x0000000005D34000-memory.dmp

Filesize
5.6MB

Download
memory/2748-3-0x0000000005280000-0x0000000005312000-memory.dmp

Filesize
584KB

Download
memory/2748-0-0x0000000074D40000-0x00000000754F0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads