656399e157ed4116fd056b5e4889c25773d62c4862ccdf9646a3c27884d01576

General

Target

Shell.exe
Size

300.0MB
MD5

ee792a047fb2febbdadee7d476c96fc8
SHA1

ae71082d2321633e466489d37f29bfcec0913c8f
SHA256

d7d98d8f0c584f85bf88ba9d1b309cd92bdc35f2786decf7ee8adae1d5904f61
SHA512

6be6d06d64b949332f53f6411fd865a1c2832f57fdcce47e2afe1f8c78fa20fc248d3c950ee976a42969c590087fc64d7c2ebcc1d644eb40bc8948a7efcc6f28
SSDEEP

49152:WCbXXLwkHUqmLMe6TOh3ElWQKBUDwIx2Sfr5jIiMjt2:WmrwkH2Me6KmWQKBddSH

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1532	Shell.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2176-8-0x0000000000700000-0x0000000000AE4000-memory.dmp	upx
behavioral2/memory/2176-10-0x0000000000700000-0x0000000000AE4000-memory.dmp	upx
behavioral2/memory/2176-9-0x0000000000700000-0x0000000000AE4000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2748 set thread context of 2176	2748	Shell.exe	107

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1276	2176	WerFault.exe	107
396	2176	WerFault.exe	107

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3536	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2748	Shell.exe
Token: SeDebugPrivilege	1532	Shell.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2748 wrote to memory of 2176	2748	Shell.exe	107
PID 2748 wrote to memory of 2176	2748	Shell.exe	107
PID 2748 wrote to memory of 2176	2748	Shell.exe	107
PID 2748 wrote to memory of 2176	2748	Shell.exe	107
PID 2748 wrote to memory of 2176	2748	Shell.exe	107
PID 2748 wrote to memory of 2176	2748	Shell.exe	107
PID 2748 wrote to memory of 2176	2748	Shell.exe	107
PID 2748 wrote to memory of 1664	2748	Shell.exe	108
PID 2748 wrote to memory of 1664	2748	Shell.exe	108
PID 2748 wrote to memory of 1664	2748	Shell.exe	108
PID 2748 wrote to memory of 2384	2748	Shell.exe	109
PID 2748 wrote to memory of 2384	2748	Shell.exe	109
PID 2748 wrote to memory of 2384	2748	Shell.exe	109
PID 1664 wrote to memory of 3536	1664	cmd.exe	113
PID 1664 wrote to memory of 3536	1664	cmd.exe	113
PID 1664 wrote to memory of 3536	1664	cmd.exe	113

C:\Users\Admin\AppData\Local\Temp\Shell.exe
"C:\Users\Admin\AppData\Local\Temp\Shell.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2748
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:2176
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2176 -s 536
    3⤵
    - Program crash
    PID:1276
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2176 -s 540
    3⤵
    - Program crash
    PID:396
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafnias" /tr "'C:\Users\Admin\AppData\Roaming\Shell\Shell.exe'" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1664
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nafnias" /tr "'C:\Users\Admin\AppData\Roaming\Shell\Shell.exe'" /f
    3⤵
    - Creates scheduled task(s)
    PID:3536
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\Shell.exe" "C:\Users\Admin\AppData\Roaming\Shell\Shell.exe"
  2⤵
  PID:2384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2176 -ip 2176
1⤵
PID:3924

C:\Users\Admin\AppData\Roaming\Shell\Shell.exe
C:\Users\Admin\AppData\Roaming\Shell\Shell.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2176 -ip 2176
1⤵
PID:2412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Shell\Shell.exe

Filesize
37KB

MD5
d65f4fe14878f56d1af913bef43077dc

SHA1
0872839c833263264e44ea508982acac58ec351d

SHA256
08872f6be6dfd9a6a6ead7a3c66ca3fb9392a6832c540922a586582ac844ef09

SHA512
3f8e0e4a192c181f673d00948f095c9ecb44569e6994943c68f3a84b9d34b34172a08c73a6e271184ce708e162d8987af0cbae26b3701859b86c2f1fd409cb9f

Download Submit
C:\Users\Admin\AppData\Roaming\Shell\Shell.exe

Filesize
85KB

MD5
7bfdb939aca80fee35d29c38a60687ba

SHA1
23ed4ff098f9ce0b50028f6a7a64eafee09e26a3

SHA256
3952fe15b52b2e2ce072e4a04a4927a7b0b4f03fa38b5664333c3ca4e0a020a1

SHA512
444ede01ee903a7026bb79a72fb8a474c89a631fd317c14e3d43a21e3970f1576df983d4e90a465eaf8a1db7b8f336e79729f41a3a2dd2346830bfb7b3ffa337

Download Submit
memory/1532-19-0x0000000005980000-0x0000000005990000-memory.dmp

Filesize
64KB

Download
memory/1532-18-0x0000000074D40000-0x00000000754F0000-memory.dmp

Filesize
7.7MB

Download
memory/1532-17-0x0000000005980000-0x0000000005990000-memory.dmp

Filesize
64KB

Download
memory/1532-15-0x0000000000F30000-0x00000000010F2000-memory.dmp

Filesize
1.8MB

Download
memory/1532-16-0x0000000074D40000-0x00000000754F0000-memory.dmp

Filesize
7.7MB

Download
memory/2176-8-0x0000000000700000-0x0000000000AE4000-memory.dmp

Filesize
3.9MB

Download
memory/2176-10-0x0000000000700000-0x0000000000AE4000-memory.dmp

Filesize
3.9MB

Download
memory/2176-9-0x0000000000700000-0x0000000000AE4000-memory.dmp

Filesize
3.9MB

Download
memory/2748-1-0x0000000000C00000-0x0000000000DC2000-memory.dmp

Filesize
1.8MB

Download
memory/2748-7-0x00000000051A0000-0x00000000051B0000-memory.dmp

Filesize
64KB

Download
memory/2748-6-0x0000000074D40000-0x00000000754F0000-memory.dmp

Filesize
7.7MB

Download
memory/2748-5-0x0000000005630000-0x000000000563A000-memory.dmp

Filesize
40KB

Download
memory/2748-4-0x00000000051A0000-0x00000000051B0000-memory.dmp

Filesize
64KB

Download
memory/2748-2-0x0000000005790000-0x0000000005D34000-memory.dmp

Filesize
5.6MB

Download
memory/2748-3-0x0000000005280000-0x0000000005312000-memory.dmp

Filesize
584KB

Download
memory/2748-0-0x0000000074D40000-0x00000000754F0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads