bd3026127fe5c6e161fd612c2779efa72aa7a7d1324226a435eae8202bc7413c

Analysis

max time kernel
118s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
29/02/2024, 06:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Backdoor.Win32.Shark.exe
Size

305KB
MD5

5ff4b7f5334e8c4d1f6eefe5a0af1ff6
SHA1

1c65c72416a31fda76d6d824f8e739f8b24c40ea
SHA256

bd3026127fe5c6e161fd612c2779efa72aa7a7d1324226a435eae8202bc7413c
SHA512

8fa34cdbc48b06131cd0d24bc337dce4498f0134c81fef44a81f16ee473104cf79a880d0499415c740941ff02ccdcd428ea2172f6156d23f6fb020b8dc21dde2
SSDEEP

6144:zdZOSoyCVuqaGqqCG6K3SidwlBUov2GBxgGNkVsuaRaU6mHG:pIx0UEHgA0aRz6mHG

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1776	b2e.exe

Loads dropped DLL 5 IoCs

pid	Process
2224	Backdoor.Win32.Shark.exe
2224	Backdoor.Win32.Shark.exe
2800	WerFault.exe
2800	WerFault.exe
2800	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2800	1776	WerFault.exe	28

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 1776	2224	Backdoor.Win32.Shark.exe	28
PID 2224 wrote to memory of 1776	2224	Backdoor.Win32.Shark.exe	28
PID 2224 wrote to memory of 1776	2224	Backdoor.Win32.Shark.exe	28
PID 2224 wrote to memory of 1776	2224	Backdoor.Win32.Shark.exe	28
PID 1776 wrote to memory of 2800	1776	b2e.exe	29
PID 1776 wrote to memory of 2800	1776	b2e.exe	29
PID 1776 wrote to memory of 2800	1776	b2e.exe	29
PID 1776 wrote to memory of 2800	1776	b2e.exe	29

C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Shark.exe
"C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Shark.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Users\Admin\AppData\Local\Temp\3F9F.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\3F9F.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\3F9F.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Shark.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1776
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1776 -s 124
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3F9F.tmp\b2e.exe

Filesize
289KB

MD5
f2c1a4dddeb5e55232388f07217a7179

SHA1
b2e1b14180a9b7754e90a62c1786639f97d78f01

SHA256
35efd640ee571f7dd1d1a7ace3f0d4bc87ea6990cab5ce8a36690b58057208b8

SHA512
2975aea442b96034667e8ec790ddaa597ae403276c7ce3a537573c7fdd9b81a22cba276be1df04e9d58a6da21d4bbe2bf2b755ba5390b45666610259994077cc

Download Submit
memory/1776-9-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1776-13-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download