Overview
overview
7Static
static
3c0010bd39b...f5.exe
windows7-x64
7c0010bd39b...f5.exe
windows10-2004-x64
7$PLUGINSDI...er.dll
windows7-x64
1$PLUGINSDI...er.dll
windows10-2004-x64
1$PLUGINSDI...ls.dll
windows7-x64
3$PLUGINSDI...ls.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...ll.dll
windows7-x64
3$PLUGINSDI...ll.dll
windows10-2004-x64
3LICENSES.c...m.html
windows7-x64
1LICENSES.c...m.html
windows10-2004-x64
1ShadowFury.exe
windows7-x64
1ShadowFury.exe
windows10-2004-x64
7d3dcompiler_47.dll
windows10-2004-x64
3ffmpeg.dll
windows7-x64
1ffmpeg.dll
windows10-2004-x64
1libEGL.dll
windows7-x64
1libEGL.dll
windows10-2004-x64
1libGLESv2.dll
windows7-x64
3libGLESv2.dll
windows10-2004-x64
3locales/af.ps1
windows7-x64
1locales/af.ps1
windows10-2004-x64
1locales/uk.ps1
windows7-x64
1locales/uk.ps1
windows10-2004-x64
1resources/elevate.exe
windows7-x64
1resources/elevate.exe
windows10-2004-x64
1vk_swiftshader.dll
windows7-x64
3vk_swiftshader.dll
windows10-2004-x64
3vulkan-1.dll
windows7-x64
3vulkan-1.dll
windows10-2004-x64
3$PLUGINSDI...ec.dll
windows7-x64
3Analysis
-
max time kernel
93s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
23/04/2024, 07:11
Static task
static1
Behavioral task
behavioral1
Sample
c0010bd39bdd04aee00a67a73c839c05c8972e473075a2a22213351efa818ff5.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
c0010bd39bdd04aee00a67a73c839c05c8972e473075a2a22213351efa818ff5.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/SpiderBanner.dll
Resource
win7-20231129-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/SpiderBanner.dll
Resource
win10v2004-20240412-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win7-20240220-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win10v2004-20240412-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240215-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/WinShell.dll
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/WinShell.dll
Resource
win10v2004-20240412-en
Behavioral task
behavioral11
Sample
LICENSES.chromium.html
Resource
win7-20231129-en
Behavioral task
behavioral12
Sample
LICENSES.chromium.html
Resource
win10v2004-20240412-en
Behavioral task
behavioral13
Sample
ShadowFury.exe
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
ShadowFury.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral15
Sample
d3dcompiler_47.dll
Resource
win10v2004-20240412-en
Behavioral task
behavioral16
Sample
ffmpeg.dll
Resource
win7-20240221-en
Behavioral task
behavioral17
Sample
ffmpeg.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral18
Sample
libEGL.dll
Resource
win7-20231129-en
Behavioral task
behavioral19
Sample
libEGL.dll
Resource
win10v2004-20240412-en
Behavioral task
behavioral20
Sample
libGLESv2.dll
Resource
win7-20240221-en
Behavioral task
behavioral21
Sample
libGLESv2.dll
Resource
win10v2004-20240412-en
Behavioral task
behavioral22
Sample
locales/af.ps1
Resource
win7-20240215-en
Behavioral task
behavioral23
Sample
locales/af.ps1
Resource
win10v2004-20240412-en
Behavioral task
behavioral24
Sample
locales/uk.ps1
Resource
win7-20240221-en
Behavioral task
behavioral25
Sample
locales/uk.ps1
Resource
win10v2004-20240226-en
Behavioral task
behavioral26
Sample
resources/elevate.exe
Resource
win7-20240221-en
Behavioral task
behavioral27
Sample
resources/elevate.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral28
Sample
vk_swiftshader.dll
Resource
win7-20240221-en
Behavioral task
behavioral29
Sample
vk_swiftshader.dll
Resource
win10v2004-20240412-en
Behavioral task
behavioral30
Sample
vulkan-1.dll
Resource
win7-20240220-en
Behavioral task
behavioral31
Sample
vulkan-1.dll
Resource
win10v2004-20240412-en
Behavioral task
behavioral32
Sample
$PLUGINSDIR/nsExec.dll
Resource
win7-20231129-en
General
-
Target
ShadowFury.exe
-
Size
131.9MB
-
MD5
40c4cd50211b681dd8fb792e61c1528a
-
SHA1
d9a5697c55de20ece15e8123a97f9987ed519d5c
-
SHA256
bb0410610f2b6148f5a2d7995059264aca1f92cbc7f636acef259cad6162679b
-
SHA512
6e9cd99fee28a0543ab09c993942ef1498f1ab46cd056b178fc4bd903b5faeda1bc96a3e1a93658794e5851c8b60c3c89ab54a424ca8ffaba03cf40cd4bda9e7
-
SSDEEP
1572864:O4sMLl/BkZTVV2iplzf+ekzrMdTOG0AfhgojwlwVgmPQtn06H9rejAEdCoIZXCVG:nl/BkVVPBDgmPKa5Wnu3X7
Malware Config
Signatures
-
Loads dropped DLL 2 IoCs
pid Process 3640 ShadowFury.exe 3640 ShadowFury.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 53 ipinfo.io 54 ipinfo.io -
Checks processor information in registry 2 TTPs 7 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString ShadowFury.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 ShadowFury.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 ShadowFury.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz ShadowFury.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ShadowFury.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 ShadowFury.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz ShadowFury.exe -
Suspicious behavior: EnumeratesProcesses 11 IoCs
pid Process 2724 powershell.exe 2724 powershell.exe 4452 powershell.exe 4452 powershell.exe 2576 powershell.exe 2576 powershell.exe 1156 ShadowFury.exe 1156 ShadowFury.exe 2724 powershell.exe 4452 powershell.exe 2576 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 3640 ShadowFury.exe Token: SeCreatePagefilePrivilege 3640 ShadowFury.exe Token: SeDebugPrivilege 4452 powershell.exe Token: SeDebugPrivilege 2724 powershell.exe Token: SeDebugPrivilege 2576 powershell.exe Token: SeShutdownPrivilege 3640 ShadowFury.exe Token: SeCreatePagefilePrivilege 3640 ShadowFury.exe Token: SeShutdownPrivilege 3640 ShadowFury.exe Token: SeCreatePagefilePrivilege 3640 ShadowFury.exe Token: SeShutdownPrivilege 3640 ShadowFury.exe Token: SeCreatePagefilePrivilege 3640 ShadowFury.exe Token: SeShutdownPrivilege 3640 ShadowFury.exe Token: SeCreatePagefilePrivilege 3640 ShadowFury.exe Token: SeIncreaseQuotaPrivilege 2724 powershell.exe Token: SeSecurityPrivilege 2724 powershell.exe Token: SeTakeOwnershipPrivilege 2724 powershell.exe Token: SeLoadDriverPrivilege 2724 powershell.exe Token: SeSystemProfilePrivilege 2724 powershell.exe Token: SeSystemtimePrivilege 2724 powershell.exe Token: SeProfSingleProcessPrivilege 2724 powershell.exe Token: SeIncBasePriorityPrivilege 2724 powershell.exe Token: SeCreatePagefilePrivilege 2724 powershell.exe Token: SeBackupPrivilege 2724 powershell.exe Token: SeRestorePrivilege 2724 powershell.exe Token: SeShutdownPrivilege 2724 powershell.exe Token: SeDebugPrivilege 2724 powershell.exe Token: SeSystemEnvironmentPrivilege 2724 powershell.exe Token: SeRemoteShutdownPrivilege 2724 powershell.exe Token: SeUndockPrivilege 2724 powershell.exe Token: SeManageVolumePrivilege 2724 powershell.exe Token: 33 2724 powershell.exe Token: 34 2724 powershell.exe Token: 35 2724 powershell.exe Token: 36 2724 powershell.exe Token: SeIncreaseQuotaPrivilege 4452 powershell.exe Token: SeSecurityPrivilege 4452 powershell.exe Token: SeTakeOwnershipPrivilege 4452 powershell.exe Token: SeLoadDriverPrivilege 4452 powershell.exe Token: SeSystemProfilePrivilege 4452 powershell.exe Token: SeSystemtimePrivilege 4452 powershell.exe Token: SeProfSingleProcessPrivilege 4452 powershell.exe Token: SeIncBasePriorityPrivilege 4452 powershell.exe Token: SeCreatePagefilePrivilege 4452 powershell.exe Token: SeBackupPrivilege 4452 powershell.exe Token: SeRestorePrivilege 4452 powershell.exe Token: SeShutdownPrivilege 4452 powershell.exe Token: SeDebugPrivilege 4452 powershell.exe Token: SeSystemEnvironmentPrivilege 4452 powershell.exe Token: SeRemoteShutdownPrivilege 4452 powershell.exe Token: SeUndockPrivilege 4452 powershell.exe Token: SeManageVolumePrivilege 4452 powershell.exe Token: 33 4452 powershell.exe Token: 34 4452 powershell.exe Token: 35 4452 powershell.exe Token: 36 4452 powershell.exe Token: SeShutdownPrivilege 3640 ShadowFury.exe Token: SeCreatePagefilePrivilege 3640 ShadowFury.exe Token: SeShutdownPrivilege 3640 ShadowFury.exe Token: SeCreatePagefilePrivilege 3640 ShadowFury.exe Token: SeShutdownPrivilege 3640 ShadowFury.exe Token: SeCreatePagefilePrivilege 3640 ShadowFury.exe Token: SeShutdownPrivilege 3640 ShadowFury.exe Token: SeCreatePagefilePrivilege 3640 ShadowFury.exe Token: SeShutdownPrivilege 3640 ShadowFury.exe -
Suspicious use of WriteProcessMemory 59 IoCs
description pid Process procid_target PID 3640 wrote to memory of 3988 3640 ShadowFury.exe 95 PID 3640 wrote to memory of 3988 3640 ShadowFury.exe 95 PID 3640 wrote to memory of 3988 3640 ShadowFury.exe 95 PID 3988 wrote to memory of 3912 3988 cmd.exe 97 PID 3988 wrote to memory of 3912 3988 cmd.exe 97 PID 3988 wrote to memory of 3912 3988 cmd.exe 97 PID 3640 wrote to memory of 1528 3640 ShadowFury.exe 98 PID 3640 wrote to memory of 1528 3640 ShadowFury.exe 98 PID 3640 wrote to memory of 1528 3640 ShadowFury.exe 98 PID 3640 wrote to memory of 2724 3640 ShadowFury.exe 100 PID 3640 wrote to memory of 2724 3640 ShadowFury.exe 100 PID 3640 wrote to memory of 2724 3640 ShadowFury.exe 100 PID 3640 wrote to memory of 4452 3640 ShadowFury.exe 101 PID 3640 wrote to memory of 4452 3640 ShadowFury.exe 101 PID 3640 wrote to memory of 4452 3640 ShadowFury.exe 101 PID 3640 wrote to memory of 2576 3640 ShadowFury.exe 103 PID 3640 wrote to memory of 2576 3640 ShadowFury.exe 103 PID 3640 wrote to memory of 2576 3640 ShadowFury.exe 103 PID 3640 wrote to memory of 1368 3640 ShadowFury.exe 106 PID 3640 wrote to memory of 1368 3640 ShadowFury.exe 106 PID 3640 wrote to memory of 1368 3640 ShadowFury.exe 106 PID 3640 wrote to memory of 1368 3640 ShadowFury.exe 106 PID 3640 wrote to memory of 1368 3640 ShadowFury.exe 106 PID 3640 wrote to memory of 1368 3640 ShadowFury.exe 106 PID 3640 wrote to memory of 1368 3640 ShadowFury.exe 106 PID 3640 wrote to memory of 1368 3640 ShadowFury.exe 106 PID 3640 wrote to memory of 1368 3640 ShadowFury.exe 106 PID 3640 wrote to memory of 1368 3640 ShadowFury.exe 106 PID 3640 wrote to memory of 1368 3640 ShadowFury.exe 106 PID 3640 wrote to memory of 1368 3640 ShadowFury.exe 106 PID 3640 wrote to memory of 1368 3640 ShadowFury.exe 106 PID 3640 wrote to memory of 1368 3640 ShadowFury.exe 106 PID 3640 wrote to memory of 1368 3640 ShadowFury.exe 106 PID 3640 wrote to memory of 1368 3640 ShadowFury.exe 106 PID 3640 wrote to memory of 1368 3640 ShadowFury.exe 106 PID 3640 wrote to memory of 1368 3640 ShadowFury.exe 106 PID 3640 wrote to memory of 1368 3640 ShadowFury.exe 106 PID 3640 wrote to memory of 1368 3640 ShadowFury.exe 106 PID 3640 wrote to memory of 1368 3640 ShadowFury.exe 106 PID 3640 wrote to memory of 1368 3640 ShadowFury.exe 106 PID 3640 wrote to memory of 1368 3640 ShadowFury.exe 106 PID 3640 wrote to memory of 1368 3640 ShadowFury.exe 106 PID 3640 wrote to memory of 1368 3640 ShadowFury.exe 106 PID 3640 wrote to memory of 1368 3640 ShadowFury.exe 106 PID 3640 wrote to memory of 1368 3640 ShadowFury.exe 106 PID 3640 wrote to memory of 1368 3640 ShadowFury.exe 106 PID 3640 wrote to memory of 1368 3640 ShadowFury.exe 106 PID 3640 wrote to memory of 1368 3640 ShadowFury.exe 106 PID 3640 wrote to memory of 1368 3640 ShadowFury.exe 106 PID 3640 wrote to memory of 1368 3640 ShadowFury.exe 106 PID 3640 wrote to memory of 1156 3640 ShadowFury.exe 107 PID 3640 wrote to memory of 1156 3640 ShadowFury.exe 107 PID 3640 wrote to memory of 1156 3640 ShadowFury.exe 107 PID 3640 wrote to memory of 4384 3640 ShadowFury.exe 109 PID 3640 wrote to memory of 4384 3640 ShadowFury.exe 109 PID 3640 wrote to memory of 4384 3640 ShadowFury.exe 109 PID 4384 wrote to memory of 2216 4384 cmd.exe 111 PID 4384 wrote to memory of 2216 4384 cmd.exe 111 PID 4384 wrote to memory of 2216 4384 cmd.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\ShadowFury.exe"C:\Users\Admin\AppData\Local\Temp\ShadowFury.exe"1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3640 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "chcp"2⤵
- Suspicious use of WriteProcessMemory
PID:3988 -
C:\Windows\SysWOW64\chcp.comchcp3⤵PID:3912
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "echo %COMPUTERNAME%.%USERDNSDOMAIN%"2⤵PID:1528
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2724
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4452
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2576
-
-
C:\Users\Admin\AppData\Local\Temp\ShadowFury.exe"C:\Users\Admin\AppData\Local\Temp\ShadowFury.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\ShadowFury" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1916 --field-trial-handle=1912,i,12562713642983351035,14949666281809302048,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:22⤵PID:1368
-
-
C:\Users\Admin\AppData\Local\Temp\ShadowFury.exe"C:\Users\Admin\AppData\Local\Temp\ShadowFury.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\ShadowFury" --mojo-platform-channel-handle=2140 --field-trial-handle=1912,i,12562713642983351035,14949666281809302048,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1156
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "findstr /C:"Detected boot environment" "%windir%\Panther\setupact.log""2⤵
- Suspicious use of WriteProcessMemory
PID:4384 -
C:\Windows\SysWOW64\findstr.exefindstr /C:"Detected boot environment" "C:\Windows\Panther\setupact.log"3⤵PID:2216
-
-
-
C:\Users\Admin\AppData\Local\Temp\ShadowFury.exe"C:\Users\Admin\AppData\Local\Temp\ShadowFury.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\ShadowFury" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1308 --field-trial-handle=1912,i,12562713642983351035,14949666281809302048,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:22⤵PID:3028
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD54279e6347a341c54e5e9bcc5ccf0b55e
SHA154e8b5376f11426145c70cb07a47da6c7c536bfe
SHA2561d6fb68d1b317f18ae1f506adebddc735260a7d79fc25cbe5208a66baf9611fb
SHA512ebfa6e9a7ae45305d929c0ec75fcf2d368fa786427e533859b537b4c1a3d609f9eff313977e6c3a33acf4d06906149fdc8f3bf684d36be9c5f669867e6b722c5
-
Filesize
21KB
MD5504b556f4fb35cf9f461c5cf25eda40b
SHA1ad2f78db635c6689d078db3cff0efde5617de11a
SHA2563451f4be4471c85532c1927d58bb0873ea7aabaa26424479a1add92c3268822f
SHA512e3c394e1534691b77af334a3f03641bf23c1e8d9d4951000ba22591a69d4ea4bf7edd9505eed9799892b6004d6c506550b096581519ba2d0824c987d683431f2
-
Filesize
21KB
MD5f151198f9160d72846eb1d784adf3ca6
SHA18a6444605208c99dfb8c8c9a6cccbd39ece17d7e
SHA256d042e00673082901a4ea74e367ce380a5f5bb75e40f220e360b5c904a22074a0
SHA512a015fb56cc040902c8cad698de92a287298cd2ecf75080a708718c26857e6b8b074a0e6f014f70ba827c769176c4375f668b085b185029a01eb39539deb543f2
-
Filesize
1.5MB
MD538b06a59c62c0ae0697ca7ca9d038faa
SHA15b0f8b212d3810e5a11ef3c8db5cb608fe09f037
SHA256da32eed100db13a4604149f70e3d04190183a83ef0737cec69e2a9bfb6108e4d
SHA5128dd4bd26ac711925ac7be8ed6aa8cd8da5e503cc10d7f8a8dd78a9655420f511215a925ba902370c9b5be0515ce38c68a5650de0136279fefbb12080cedb273e
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
95KB
MD5c5cb988e34da7d6aaba113c2565224bd
SHA1fc15f35453a6b483c20402bd7ca0040eb0096d0b
SHA256c376f270e702f71bac0bcc4982031e99379728f748468c9b09c0c1b31d93fa08
SHA512fed34cf2ddbb50319520067e0a960619d1b2a3db29d4d47484ed271b3eddc1f98aad292a3ffc67ac6b94118bcc0d0944e23f37799ca9aec3f852983a5c596cb1