cb3efa4f3d8225697cab092ecabba18353ac24b874bef80e705a1d1dd48e3f52

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
01/02/2024, 05:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8616f6a3ef9c203c5f3401fff16607a9.exe
Size

12.3MB
MD5

8616f6a3ef9c203c5f3401fff16607a9
SHA1

fe3ee4441295b5cb7cc006673755f42d713fbeb1
SHA256

cb3efa4f3d8225697cab092ecabba18353ac24b874bef80e705a1d1dd48e3f52
SHA512

ddc5ae041eaea91f7b60e9d5ee95499aba34c9d0151cec2cb4b665833ba79214c1b3d2102c8d7d078906be362ab0b81f099f0618d8f0caeb80dbdbae315c2799
SSDEEP

393216:EG1J86L+1mbeRq7DEac3cdiG6VvRq7DEac3cn:R1J88ZUt3ksQUt3Q

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2116	8616f6a3ef9c203c5f3401fff16607a9.tmp
1760	experience.exe

Loads dropped DLL 3 IoCs

pid	Process
2804	8616f6a3ef9c203c5f3401fff16607a9.exe
2116	8616f6a3ef9c203c5f3401fff16607a9.tmp
2116	8616f6a3ef9c203c5f3401fff16607a9.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\ShadowMaker\experience.exe	8616f6a3ef9c203c5f3401fff16607a9.tmp
File created	C:\Program Files (x86)\ShadowMaker\is-2CH7B.tmp	8616f6a3ef9c203c5f3401fff16607a9.tmp
File created	C:\Program Files (x86)\ShadowMaker\cfg\is-4HQIN.tmp	8616f6a3ef9c203c5f3401fff16607a9.tmp
File created	C:\Program Files (x86)\ShadowMaker\imageformats\is-3JV40.tmp	8616f6a3ef9c203c5f3401fff16607a9.tmp
File created	C:\Program Files (x86)\ShadowMaker\is-6JGFH.tmp	8616f6a3ef9c203c5f3401fff16607a9.tmp
File created	C:\Program Files (x86)\ShadowMaker\is-TKT4R.tmp	8616f6a3ef9c203c5f3401fff16607a9.tmp
File opened for modification	C:\Program Files (x86)\ShadowMaker\unins000.dat	8616f6a3ef9c203c5f3401fff16607a9.tmp
File created	C:\Program Files (x86)\ShadowMaker\is-SLD3F.tmp	8616f6a3ef9c203c5f3401fff16607a9.tmp
File created	C:\Program Files (x86)\ShadowMaker\en-us\win8_x64\is-1O09E.tmp	8616f6a3ef9c203c5f3401fff16607a9.tmp
File created	C:\Program Files (x86)\ShadowMaker\en-us\x86\is-QAVVT.tmp	8616f6a3ef9c203c5f3401fff16607a9.tmp
File opened for modification	C:\Program Files (x86)\ShadowMaker\SMTPEmail.dll	8616f6a3ef9c203c5f3401fff16607a9.tmp
File created	C:\Program Files (x86)\ShadowMaker\is-SO2HR.tmp	8616f6a3ef9c203c5f3401fff16607a9.tmp
File created	C:\Program Files (x86)\ShadowMaker\is-66CUO.tmp	8616f6a3ef9c203c5f3401fff16607a9.tmp
File created	C:\Program Files (x86)\ShadowMaker\is-B5V1U.tmp	8616f6a3ef9c203c5f3401fff16607a9.tmp
File created	C:\Program Files (x86)\ShadowMaker\is-6SCCS.tmp	8616f6a3ef9c203c5f3401fff16607a9.tmp
File created	C:\Program Files (x86)\ShadowMaker\is-3M0ES.tmp	8616f6a3ef9c203c5f3401fff16607a9.tmp
File created	C:\Program Files (x86)\ShadowMaker\en-us\win8_x86\is-B1NMG.tmp	8616f6a3ef9c203c5f3401fff16607a9.tmp
File created	C:\Program Files (x86)\ShadowMaker\is-3MRMH.tmp	8616f6a3ef9c203c5f3401fff16607a9.tmp
File created	C:\Program Files (x86)\ShadowMaker\is-QIEON.tmp	8616f6a3ef9c203c5f3401fff16607a9.tmp
File created	C:\Program Files (x86)\ShadowMaker\en-us\win8_x86\is-CF288.tmp	8616f6a3ef9c203c5f3401fff16607a9.tmp
File opened for modification	C:\Program Files (x86)\ShadowMaker\NetFileDialogLib.dll	8616f6a3ef9c203c5f3401fff16607a9.tmp
File opened for modification	C:\Program Files (x86)\ShadowMaker\PathControlLib.dll	8616f6a3ef9c203c5f3401fff16607a9.tmp
File created	C:\Program Files (x86)\ShadowMaker\is-ST6PC.tmp	8616f6a3ef9c203c5f3401fff16607a9.tmp
File created	C:\Program Files (x86)\ShadowMaker\is-9F08G.tmp	8616f6a3ef9c203c5f3401fff16607a9.tmp
File created	C:\Program Files (x86)\ShadowMaker\is-HBJ5T.tmp	8616f6a3ef9c203c5f3401fff16607a9.tmp
File created	C:\Program Files (x86)\ShadowMaker\en-us\x86\is-QQELN.tmp	8616f6a3ef9c203c5f3401fff16607a9.tmp
File opened for modification	C:\Program Files (x86)\ShadowMaker\MountDriveImageClient.dll	8616f6a3ef9c203c5f3401fff16607a9.tmp
File opened for modification	C:\Program Files (x86)\ShadowMaker\PASServer.dll	8616f6a3ef9c203c5f3401fff16607a9.tmp
File opened for modification	C:\Program Files (x86)\ShadowMaker\msvcr120.dll	8616f6a3ef9c203c5f3401fff16607a9.tmp
File created	C:\Program Files (x86)\ShadowMaker\is-EI99J.tmp	8616f6a3ef9c203c5f3401fff16607a9.tmp
File created	C:\Program Files (x86)\ShadowMaker\is-THMGU.tmp	8616f6a3ef9c203c5f3401fff16607a9.tmp
File created	C:\Program Files (x86)\ShadowMaker\is-TKPDK.tmp	8616f6a3ef9c203c5f3401fff16607a9.tmp
File created	C:\Program Files (x86)\ShadowMaker\is-8305G.tmp	8616f6a3ef9c203c5f3401fff16607a9.tmp
File opened for modification	C:\Program Files (x86)\ShadowMaker\qtservice.dll	8616f6a3ef9c203c5f3401fff16607a9.tmp
File opened for modification	C:\Program Files (x86)\ShadowMaker\wimgapi.dll	8616f6a3ef9c203c5f3401fff16607a9.tmp
File opened for modification	C:\Program Files (x86)\ShadowMaker\MountDriveImageDisk.dll	8616f6a3ef9c203c5f3401fff16607a9.tmp
File opened for modification	C:\Program Files (x86)\ShadowMaker\msvcp120.dll	8616f6a3ef9c203c5f3401fff16607a9.tmp
File created	C:\Program Files (x86)\ShadowMaker\is-MNT26.tmp	8616f6a3ef9c203c5f3401fff16607a9.tmp
File created	C:\Program Files (x86)\ShadowMaker\en-us\win8_x86\is-ABBFD.tmp	8616f6a3ef9c203c5f3401fff16607a9.tmp
File created	C:\Program Files (x86)\ShadowMaker\is-A9LBC.tmp	8616f6a3ef9c203c5f3401fff16607a9.tmp
File created	C:\Program Files (x86)\ShadowMaker\is-ASFL6.tmp	8616f6a3ef9c203c5f3401fff16607a9.tmp
File created	C:\Program Files (x86)\ShadowMaker\is-0RFLH.tmp	8616f6a3ef9c203c5f3401fff16607a9.tmp
File created	C:\Program Files (x86)\ShadowMaker\is-3CIUF.tmp	8616f6a3ef9c203c5f3401fff16607a9.tmp
File created	C:\Program Files (x86)\ShadowMaker\is-AL29V.tmp	8616f6a3ef9c203c5f3401fff16607a9.tmp
File created	C:\Program Files (x86)\ShadowMaker\en-us\x64\is-8R288.tmp	8616f6a3ef9c203c5f3401fff16607a9.tmp
File opened for modification	C:\Program Files (x86)\ShadowMaker\Pas2.dll	8616f6a3ef9c203c5f3401fff16607a9.tmp
File opened for modification	C:\Program Files (x86)\ShadowMaker\zlibwapi.dll	8616f6a3ef9c203c5f3401fff16607a9.tmp
File created	C:\Program Files (x86)\ShadowMaker\is-LB0QO.tmp	8616f6a3ef9c203c5f3401fff16607a9.tmp
File created	C:\Program Files (x86)\ShadowMaker\is-C43SV.tmp	8616f6a3ef9c203c5f3401fff16607a9.tmp
File created	C:\Program Files (x86)\ShadowMaker\is-IBQEM.tmp	8616f6a3ef9c203c5f3401fff16607a9.tmp
File opened for modification	C:\Program Files (x86)\ShadowMaker\vdskapi.dll	8616f6a3ef9c203c5f3401fff16607a9.tmp
File created	C:\Program Files (x86)\ShadowMaker\is-GSV5D.tmp	8616f6a3ef9c203c5f3401fff16607a9.tmp
File created	C:\Program Files (x86)\ShadowMaker\is-LI192.tmp	8616f6a3ef9c203c5f3401fff16607a9.tmp
File created	C:\Program Files (x86)\ShadowMaker\is-O11SB.tmp	8616f6a3ef9c203c5f3401fff16607a9.tmp
File created	C:\Program Files (x86)\ShadowMaker\is-4EFKQ.tmp	8616f6a3ef9c203c5f3401fff16607a9.tmp
File created	C:\Program Files (x86)\ShadowMaker\is-IL2R3.tmp	8616f6a3ef9c203c5f3401fff16607a9.tmp
File created	C:\Program Files (x86)\ShadowMaker\cfg\is-44KAN.tmp	8616f6a3ef9c203c5f3401fff16607a9.tmp
File created	C:\Program Files (x86)\ShadowMaker\en-us\x86\is-LNDL6.tmp	8616f6a3ef9c203c5f3401fff16607a9.tmp
File created	C:\Program Files (x86)\ShadowMaker\en-us\win8_x64\is-95V03.tmp	8616f6a3ef9c203c5f3401fff16607a9.tmp
File created	C:\Program Files (x86)\ShadowMaker\en-us\win8_x64\is-12DT3.tmp	8616f6a3ef9c203c5f3401fff16607a9.tmp
File created	C:\Program Files (x86)\ShadowMaker\is-S3690.tmp	8616f6a3ef9c203c5f3401fff16607a9.tmp
File created	C:\Program Files (x86)\ShadowMaker\en-us\x64\is-UPBMT.tmp	8616f6a3ef9c203c5f3401fff16607a9.tmp
File opened for modification	C:\Program Files (x86)\ShadowMaker\imageformats\qgif.dll	8616f6a3ef9c203c5f3401fff16607a9.tmp
File opened for modification	C:\Program Files (x86)\ShadowMaker\ssleay32.dll	8616f6a3ef9c203c5f3401fff16607a9.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2116	8616f6a3ef9c203c5f3401fff16607a9.tmp
2116	8616f6a3ef9c203c5f3401fff16607a9.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2116	8616f6a3ef9c203c5f3401fff16607a9.tmp

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2804 wrote to memory of 2116	2804	8616f6a3ef9c203c5f3401fff16607a9.exe	28
PID 2804 wrote to memory of 2116	2804	8616f6a3ef9c203c5f3401fff16607a9.exe	28
PID 2804 wrote to memory of 2116	2804	8616f6a3ef9c203c5f3401fff16607a9.exe	28
PID 2804 wrote to memory of 2116	2804	8616f6a3ef9c203c5f3401fff16607a9.exe	28
PID 2804 wrote to memory of 2116	2804	8616f6a3ef9c203c5f3401fff16607a9.exe	28
PID 2804 wrote to memory of 2116	2804	8616f6a3ef9c203c5f3401fff16607a9.exe	28
PID 2804 wrote to memory of 2116	2804	8616f6a3ef9c203c5f3401fff16607a9.exe	28
PID 2116 wrote to memory of 1760	2116	8616f6a3ef9c203c5f3401fff16607a9.tmp	29
PID 2116 wrote to memory of 1760	2116	8616f6a3ef9c203c5f3401fff16607a9.tmp	29
PID 2116 wrote to memory of 1760	2116	8616f6a3ef9c203c5f3401fff16607a9.tmp	29
PID 2116 wrote to memory of 1760	2116	8616f6a3ef9c203c5f3401fff16607a9.tmp	29

C:\Users\Admin\AppData\Local\Temp\8616f6a3ef9c203c5f3401fff16607a9.exe
"C:\Users\Admin\AppData\Local\Temp\8616f6a3ef9c203c5f3401fff16607a9.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2804
- C:\Users\Admin\AppData\Local\Temp\is-Q5VAI.tmp\8616f6a3ef9c203c5f3401fff16607a9.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-Q5VAI.tmp\8616f6a3ef9c203c5f3401fff16607a9.tmp" /SL5="$70120,12177326,721408,C:\Users\Admin\AppData\Local\Temp\8616f6a3ef9c203c5f3401fff16607a9.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2116
- - C:\Program Files (x86)\ShadowMaker\experience.exe
    "C:\Program Files (x86)\ShadowMaker\experience.exe" 8616f6a3ef9c203c5f3401fff16607a9.exe
    3⤵
    - Executes dropped EXE
    PID:1760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\ShadowMaker\experience.exe

Filesize
175KB

MD5
7030ff1087d00289e5dfed1021c986b2

SHA1
2def6aa37cf853934268aff0f2566f636a552321

SHA256
137670c7649484cb9efcb4b0bd91ecf43e8d3734dbd9f0a0787f674e55905f7d

SHA512
81787de066c2400412af96d822263f3555e57191f6e6abed5990c4eef4d6007f67aff87c19b7603ebf9bb08e8941fb13285193a5b30a7c0c8a6fefd71387b330

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-Q5VAI.tmp\8616f6a3ef9c203c5f3401fff16607a9.tmp

Filesize
752KB

MD5
3db917d8d9720b54a4c868a35805315e

SHA1
f64c0bdde46e9126edc2b1f19978ff64d298ca89

SHA256
86d8d7a2b130c1b827d2e0ac50df14466d72e65d8621f5f9e124a2617d390deb

SHA512
e835be0e9c63b386bb0d59b301273e6cdce19dbe175b0050f42faf3ccfd8c04ab624a6203d8b2035606a58a05b669c67037b6f9dcaaa118021bbb3911b9d6200

Download Submit
\Program Files (x86)\ShadowMaker\experience.exe

Filesize
881KB

MD5
cc742c4ae8240c1d2b36caec81eec115

SHA1
0cd57c0e96b7909a1c3c504417722f0df263ee95

SHA256
4834b7b4cd7466f78290ee62940e8b5488eead357b1a5346aecf15c1d29c968c

SHA512
ec9c731cc5ab31a462bbb70e23e445f411540a3935d59625ab8bae4c1bcf3f27817d835f7527a27d867871419903a0983462c8afb756b3d9f3e53b0cbb0dacd5

Download Submit
\Users\Admin\AppData\Local\Temp\is-2U4CB.tmp\_isetup\_isdecmp.dll

Filesize
23KB

MD5
77d6d961f71a8c558513bed6fd0ad6f1

SHA1
122bb9ed6704b72250e4e31b5d5fc2f0476c4b6a

SHA256
5da7c8d33d3b7db46277012d92875c0b850c8abf1eb3c8c9c5b9532089a0bcf0

SHA512
b0921e2442b4cdec8cc479ba3751a01c0646a4804e2f4a5d5632fa2dbf54cc45d4cccffa4d5b522d42afc2f6a622e07882ed7e663c8462333b082e82503f335a

Download Submit
\Users\Admin\AppData\Local\Temp\is-Q5VAI.tmp\8616f6a3ef9c203c5f3401fff16607a9.tmp

Filesize
2.4MB

MD5
d9b6cc86734de734dac4d44ea322bd98

SHA1
261bdd9e9fda40b7a34f213c0d44b9e4d401c811

SHA256
fbaf958bb45bd9b3bc1072066516ed89491a52233edbbfc53c0a67ccbef75578

SHA512
82947131d5823e035e01d09912097ea58ae52afa2b44166a3fef2131a53ecadfedde21d3c2ec688d87ffc40bf31bdd9ff12fe23e16d4ecd44ade9a08cf220dc5

Download Submit
memory/1760-127-0x0000000000400000-0x000000000171E000-memory.dmp

Filesize
19.1MB

Download
memory/1760-133-0x0000000000400000-0x000000000171E000-memory.dmp

Filesize
19.1MB

Download
memory/1760-139-0x0000000000400000-0x000000000171E000-memory.dmp

Filesize
19.1MB

Download
memory/1760-138-0x0000000000400000-0x000000000171E000-memory.dmp

Filesize
19.1MB

Download
memory/1760-128-0x0000000000400000-0x000000000171E000-memory.dmp

Filesize
19.1MB

Download
memory/1760-129-0x0000000000400000-0x000000000171E000-memory.dmp

Filesize
19.1MB

Download
memory/1760-130-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2116-134-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2116-132-0x0000000000400000-0x0000000000679000-memory.dmp

Filesize
2.5MB

Download
memory/2116-7-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2116-135-0x0000000003AB0000-0x0000000004DCE000-memory.dmp

Filesize
19.1MB

Download
memory/2116-126-0x0000000003AB0000-0x0000000004DCE000-memory.dmp

Filesize
19.1MB

Download
memory/2804-131-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2804-0-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download