Analysis

  • max time kernel
    149s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-06-2024 08:53

General

  • Target

    ShaderifyBeta.exe

  • Size

    120.4MB

  • MD5

    b9f8c41f3f567782a8dfc4a90f35163c

  • SHA1

    89afe38e055b6fc96a36158bdca344fc73d9c659

  • SHA256

    1ec5238c41c2f9655cee2b676a9c7a48821f624b1c59a4a4ac05583b21dd1458

  • SHA512

    49d495b2bc6cdcc9a64d77560a92dc9e6377cba9892b23a9f3d79fa3f42b28635d87e96b20e2a8303238e8c8faaed6849210274a28fe65f6dcf24ca0c7cc52c3

  • SSDEEP

    1572864:g1f0+Sva7Hdp1Nhn+aCdrvdYrZ/7/lbg8udR8SnuSE49z:Fasulbg8yTnbEOz

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • An obfuscated cmd.exe command-line is typically used to evade detection. 2 IoCs
  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ShaderifyBeta.exe
    "C:\Users\Admin\AppData\Local\Temp\ShaderifyBeta.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:4400
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2724
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2788
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rxqp5jle\rxqp5jle.cmdline"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:424
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
            C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES49AB.tmp" "c:\Users\Admin\AppData\Local\Temp\rxqp5jle\CSCE4340FD8C5CF418888524C9E3494AA8.TMP"
            5⤵
              PID:2040
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /d /s /c "tasklist"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3052
        • C:\Windows\system32\tasklist.exe
          tasklist
          3⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:3636
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,29,91,20,250,244,96,249,70,151,181,139,149,165,63,141,20,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,153,5,53,101,41,221,199,69,137,25,8,206,225,102,110,200,122,91,33,160,134,229,213,22,203,204,228,9,108,217,15,36,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,209,169,143,159,124,134,19,21,115,239,86,173,129,115,75,126,28,211,192,67,176,83,172,180,133,53,36,115,134,63,125,108,48,0,0,0,247,204,77,117,114,109,27,84,75,239,250,231,249,252,110,35,28,202,157,116,66,197,80,79,79,53,42,90,124,78,22,98,170,121,69,228,70,161,95,144,248,17,178,142,224,204,145,171,64,0,0,0,147,222,190,106,197,5,164,148,65,178,237,73,45,249,247,52,202,203,218,107,66,57,114,152,65,63,102,164,185,7,212,103,210,243,200,201,208,204,243,76,218,218,33,186,103,238,37,186,225,235,182,3,102,148,159,173,246,151,154,219,224,67,3,103), $null, 'CurrentUser')"
        2⤵
        • An obfuscated cmd.exe command-line is typically used to evade detection.
        • Suspicious use of WriteProcessMemory
        PID:5036
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,29,91,20,250,244,96,249,70,151,181,139,149,165,63,141,20,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,153,5,53,101,41,221,199,69,137,25,8,206,225,102,110,200,122,91,33,160,134,229,213,22,203,204,228,9,108,217,15,36,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,209,169,143,159,124,134,19,21,115,239,86,173,129,115,75,126,28,211,192,67,176,83,172,180,133,53,36,115,134,63,125,108,48,0,0,0,247,204,77,117,114,109,27,84,75,239,250,231,249,252,110,35,28,202,157,116,66,197,80,79,79,53,42,90,124,78,22,98,170,121,69,228,70,161,95,144,248,17,178,142,224,204,145,171,64,0,0,0,147,222,190,106,197,5,164,148,65,178,237,73,45,249,247,52,202,203,218,107,66,57,114,152,65,63,102,164,185,7,212,103,210,243,200,201,208,204,243,76,218,218,33,186,103,238,37,186,225,235,182,3,102,148,159,173,246,151,154,219,224,67,3,103), $null, 'CurrentUser')
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2420
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,29,91,20,250,244,96,249,70,151,181,139,149,165,63,141,20,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,79,171,147,34,242,140,11,144,120,220,207,24,1,221,227,169,44,203,106,123,198,62,79,112,151,240,97,129,25,0,50,145,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,32,55,196,118,8,60,34,118,98,67,63,99,6,38,147,168,170,66,7,134,227,81,225,238,7,185,77,116,227,246,218,58,48,0,0,0,78,190,62,86,160,155,76,226,24,98,1,99,171,202,6,173,38,116,115,17,183,57,67,52,104,15,151,198,177,138,154,219,128,136,105,37,238,1,157,221,171,183,164,115,48,229,49,214,64,0,0,0,125,51,56,187,118,74,244,13,72,110,208,133,201,236,145,223,199,106,152,47,227,46,94,245,9,105,158,218,74,107,44,139,41,14,192,86,33,57,145,152,112,35,146,122,237,245,61,79,197,152,91,113,187,28,240,193,73,96,252,159,90,120,136,138), $null, 'CurrentUser')"
        2⤵
        • An obfuscated cmd.exe command-line is typically used to evade detection.
        • Suspicious use of WriteProcessMemory
        PID:4092
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,29,91,20,250,244,96,249,70,151,181,139,149,165,63,141,20,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,79,171,147,34,242,140,11,144,120,220,207,24,1,221,227,169,44,203,106,123,198,62,79,112,151,240,97,129,25,0,50,145,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,32,55,196,118,8,60,34,118,98,67,63,99,6,38,147,168,170,66,7,134,227,81,225,238,7,185,77,116,227,246,218,58,48,0,0,0,78,190,62,86,160,155,76,226,24,98,1,99,171,202,6,173,38,116,115,17,183,57,67,52,104,15,151,198,177,138,154,219,128,136,105,37,238,1,157,221,171,183,164,115,48,229,49,214,64,0,0,0,125,51,56,187,118,74,244,13,72,110,208,133,201,236,145,223,199,106,152,47,227,46,94,245,9,105,158,218,74,107,44,139,41,14,192,86,33,57,145,152,112,35,146,122,237,245,61,79,197,152,91,113,187,28,240,193,73,96,252,159,90,120,136,138), $null, 'CurrentUser')
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1344
      • C:\Users\Admin\AppData\Local\Temp\ShaderifyBeta.exe
        "C:\Users\Admin\AppData\Local\Temp\ShaderifyBeta.exe" --type=gpu-process --field-trial-handle=1836,14204483464277005053,8560346771562735350,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1844 /prefetch:2
        2⤵
          PID:2272
        • C:\Users\Admin\AppData\Local\Temp\ShaderifyBeta.exe
          "C:\Users\Admin\AppData\Local\Temp\ShaderifyBeta.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1836,14204483464277005053,8560346771562735350,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2200 /prefetch:8
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:1252
        • C:\Users\Admin\AppData\Local\Temp\ShaderifyBeta.exe
          "C:\Users\Admin\AppData\Local\Temp\ShaderifyBeta.exe" --type=gpu-process --field-trial-handle=1836,14204483464277005053,8560346771562735350,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=MAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAIAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1872 /prefetch:2
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:2740
      • C:\Windows\System32\CompPkgSrv.exe
        C:\Windows\System32\CompPkgSrv.exe -Embedding
        1⤵
          PID:640

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\edge\Updater\Get-Clipboard.ps1

          Filesize

          3KB

          MD5

          52cc110bb3777aa6bba7900630d4eb49

          SHA1

          3663dc658fd13d407e49781d1a5c2aa203c252fc

          SHA256

          892a9edb03db3fd88fecc1e1a2f56a7339f16f6734e8d77e6538ea2c8c9026d6

          SHA512

          89b80d2783e902d68ffd08b6f3fb1848ae6e6c4bf2d7a1e4afdac970b2ee6ffcc58116cdd6234e3d6278eb9413d36aafe62b5beca24a0846575d12af0c5112ab

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

          Filesize

          3KB

          MD5

          f48896adf9a23882050cdff97f610a7f

          SHA1

          4c5a610df62834d43f470cae7e851946530e3086

          SHA256

          3ae35c2828715a2f9a5531d334a0cfffc81396c2dc058ca42a9943f3cdc22e78

          SHA512

          16644246f2a35a186fcb5c2b6456ed6a16e8db65ad1383109e06547f9b1f9358f071c30cca541ca4cf7bae66cb534535e88f75f6296a4bfc6c7b22b0684a6ba9

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          1KB

          MD5

          68d80cc2ac40ea9e5c7297fba6623c45

          SHA1

          05908daef7414f753fa6006082c42485002a7da8

          SHA256

          3b059d656dae93233a96c9079352c1d77c6abfec689cc6236b93b427c9918e96

          SHA512

          2c51e963eba030ee4f2ef5df1577a8ce38cacd6ffc3d0c56258db173352b46cd6048505061c65bd5757d14e2e27d9d396cbce95d58406660af62365bd4e7afb6

        • C:\Users\Admin\AppData\Local\Temp\Admincookies.zip

          Filesize

          22B

          MD5

          76cdb2bad9582d23c1f6f4d868218d6c

          SHA1

          b04f3ee8f5e43fa3b162981b50bb72fe1acabb33

          SHA256

          8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85

          SHA512

          5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

        • C:\Users\Admin\AppData\Local\Temp\RES49AB.tmp

          Filesize

          1KB

          MD5

          7b1c2af8ddbcd4c3363b180262abd7d0

          SHA1

          5e8c5227748093c40d64e0717607acdbdd29b9b7

          SHA256

          9f053ba56308492806f15ca87db1b336dee056f534bf4ee806c1897d29402299

          SHA512

          f18afa42c832983ddb5a53e5a451d477d82b5e6d9ef6c17109b3c64baaef310347b1413f0142e63d8d72dd05eec815ceecf75b1654b3027ec4a915a5b5e851c1

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_go5q1pmc.uh1.ps1

          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        • C:\Users\Admin\AppData\Local\Temp\dcd43bf2-4266-4892-9855-2c6bd8b87bcf.tmp.node

          Filesize

          1.4MB

          MD5

          56192831a7f808874207ba593f464415

          SHA1

          e0c18c72a62692d856da1f8988b0bc9c8088d2aa

          SHA256

          6aa8763714aa5199a4065259af792292c2a7d6a2c381aa27007255421e5c9d8c

          SHA512

          c82aa1ef569c232b4b4f98a3789f2390e5f7bf5cc7e73d199fe23a3f636817edfdc2fb49ce7f69169c028a9dd5ab9f63e8f64964bb22424fc08db71e85054a33

        • C:\Users\Admin\AppData\Local\Temp\rxqp5jle\rxqp5jle.dll

          Filesize

          3KB

          MD5

          7d368ef8c4c56efa9547e63e4ec515aa

          SHA1

          46f3516cfdadca41f878994f5133fca64665dc5e

          SHA256

          e924c2bd8e16474bf12f3bd3ac611dd3d9f5ea001b86dd5e52a9f96d384bc749

          SHA512

          e57471f84847dafbd6f95702b0fb5f21d6ae8a8eaea30a735e59ec5a3e10f83ee481b646c61a6d3088a44536406d1222493ebbc4ddbe8c43b296586fd69bd52e

        • \??\c:\Users\Admin\AppData\Local\Temp\rxqp5jle\CSCE4340FD8C5CF418888524C9E3494AA8.TMP

          Filesize

          652B

          MD5

          ccbf1e6bddb19b391dabbb5c8ebbdb01

          SHA1

          8c1fe2349bea8bcf3542bf5a30627960ce9f807f

          SHA256

          d75d83eb8f467390c5c2f9245a62b617786e55f5a0a3815ab2e4e73dc752737a

          SHA512

          7136016be56afb67ff3d4934db4cc1ec3fc141c2bd5d76c49fff625773d5f84f34db9993a53cc9483b237758f03c1791edb53956924fc1fb8164158edcf800d0

        • \??\c:\Users\Admin\AppData\Local\Temp\rxqp5jle\rxqp5jle.0.cs

          Filesize

          426B

          MD5

          b462a7b0998b386a2047c941506f7c1b

          SHA1

          61e8aa007164305a51fa2f1cebaf3f8e60a6a59f

          SHA256

          a81f86cd4d33ebbf2b725df6702b8f6b3c31627bf52eb1cadc1e40b1c0c2bb35

          SHA512

          eb41b838cc5726f4d1601d3c68d455203d3c23f17469b3c8cbdd552f479f14829856d699f310dec05fe7504a2ae511d0b7ffff6b66ceadb5a225efe3e2f3a020

        • \??\c:\Users\Admin\AppData\Local\Temp\rxqp5jle\rxqp5jle.cmdline

          Filesize

          369B

          MD5

          18a339e346aa61df6906b165ebceac0d

          SHA1

          d4a60b888c0e2e8c9d77a79ce22e3e56e09e400c

          SHA256

          11eb4bfaefce360800f256c97e0edef53de240e0cfd84d10982fbd84795ad20d

          SHA512

          8df662c72e3f1f94e0ddff509d334e007935777043297270351c39a1f203bfb1c6652dd81d67f5b4652940a79ee97d0ba3cc78657f30a5189291739c05030891

        • memory/2272-68-0x00007FF81A540000-0x00007FF81A541000-memory.dmp

          Filesize

          4KB

        • memory/2420-43-0x0000021456C30000-0x0000021456C80000-memory.dmp

          Filesize

          320KB

        • memory/2788-30-0x0000019B25F70000-0x0000019B25F78000-memory.dmp

          Filesize

          32KB

        • memory/2788-6-0x0000019B3E210000-0x0000019B3E232000-memory.dmp

          Filesize

          136KB