Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    03-06-2024 08:53

General

  • Target

    ShaderifyBeta.exe

  • Size

    120.4MB

  • MD5

    b9f8c41f3f567782a8dfc4a90f35163c

  • SHA1

    89afe38e055b6fc96a36158bdca344fc73d9c659

  • SHA256

    1ec5238c41c2f9655cee2b676a9c7a48821f624b1c59a4a4ac05583b21dd1458

  • SHA512

    49d495b2bc6cdcc9a64d77560a92dc9e6377cba9892b23a9f3d79fa3f42b28635d87e96b20e2a8303238e8c8faaed6849210274a28fe65f6dcf24ca0c7cc52c3

  • SSDEEP

    1572864:g1f0+Sva7Hdp1Nhn+aCdrvdYrZ/7/lbg8udR8SnuSE49z:Fasulbg8yTnbEOz

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs
  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ShaderifyBeta.exe
    "C:\Users\Admin\AppData\Local\Temp\ShaderifyBeta.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2228
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1648
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2716
        • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
          "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uj3osc1l.cmdline"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2540
          • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
            C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES32D4.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC32D3.tmp"
            5⤵
              PID:3028
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /d /s /c "tasklist"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2332
        • C:\Windows\system32\tasklist.exe
          tasklist
          3⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:2732
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,118,15,111,182,215,54,82,72,136,26,56,188,234,104,207,139,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,253,95,42,89,97,96,145,105,134,65,186,218,54,63,151,38,224,9,191,71,136,75,181,66,230,176,203,96,226,244,195,218,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,206,215,77,135,63,182,209,100,158,156,120,193,137,23,197,23,112,177,117,241,159,140,39,95,171,44,239,104,117,242,162,137,48,0,0,0,226,87,31,244,153,200,57,247,226,251,206,164,212,206,92,58,240,215,105,6,80,49,136,70,24,192,82,192,7,64,37,1,78,48,111,2,84,0,13,48,142,195,130,49,208,48,86,13,64,0,0,0,186,225,40,149,75,14,43,176,40,14,27,196,217,32,122,224,209,108,122,127,43,218,234,231,211,92,5,23,29,99,155,189,39,125,132,34,54,180,1,43,213,255,249,1,238,199,39,55,32,250,167,23,100,194,152,77,192,205,215,235,95,126,89,80), $null, 'CurrentUser')"
        2⤵
        • An obfuscated cmd.exe command-line is typically used to evade detection.
        • Suspicious use of WriteProcessMemory
        PID:2684
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,118,15,111,182,215,54,82,72,136,26,56,188,234,104,207,139,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,253,95,42,89,97,96,145,105,134,65,186,218,54,63,151,38,224,9,191,71,136,75,181,66,230,176,203,96,226,244,195,218,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,206,215,77,135,63,182,209,100,158,156,120,193,137,23,197,23,112,177,117,241,159,140,39,95,171,44,239,104,117,242,162,137,48,0,0,0,226,87,31,244,153,200,57,247,226,251,206,164,212,206,92,58,240,215,105,6,80,49,136,70,24,192,82,192,7,64,37,1,78,48,111,2,84,0,13,48,142,195,130,49,208,48,86,13,64,0,0,0,186,225,40,149,75,14,43,176,40,14,27,196,217,32,122,224,209,108,122,127,43,218,234,231,211,92,5,23,29,99,155,189,39,125,132,34,54,180,1,43,213,255,249,1,238,199,39,55,32,250,167,23,100,194,152,77,192,205,215,235,95,126,89,80), $null, 'CurrentUser')
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2520
      • C:\Users\Admin\AppData\Local\Temp\ShaderifyBeta.exe
        "C:\Users\Admin\AppData\Local\Temp\ShaderifyBeta.exe" --type=gpu-process --field-trial-handle=1172,1763405922463736370,2378411873916200231,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1188 /prefetch:2
        2⤵
          PID:1604
        • C:\Users\Admin\AppData\Local\Temp\ShaderifyBeta.exe
          "C:\Users\Admin\AppData\Local\Temp\ShaderifyBeta.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1172,1763405922463736370,2378411873916200231,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1460 /prefetch:8
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:2056
        • C:\Users\Admin\AppData\Local\Temp\ShaderifyBeta.exe
          "C:\Users\Admin\AppData\Local\Temp\ShaderifyBeta.exe" --type=gpu-process --field-trial-handle=1172,1763405922463736370,2378411873916200231,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=1360 /prefetch:2
          2⤵
            PID:1568

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\edge\Updater\Get-Clipboard.ps1

          Filesize

          3KB

          MD5

          52cc110bb3777aa6bba7900630d4eb49

          SHA1

          3663dc658fd13d407e49781d1a5c2aa203c252fc

          SHA256

          892a9edb03db3fd88fecc1e1a2f56a7339f16f6734e8d77e6538ea2c8c9026d6

          SHA512

          89b80d2783e902d68ffd08b6f3fb1848ae6e6c4bf2d7a1e4afdac970b2ee6ffcc58116cdd6234e3d6278eb9413d36aafe62b5beca24a0846575d12af0c5112ab

        • C:\Users\Admin\AppData\Local\Temp\Admincookies.zip

          Filesize

          22B

          MD5

          76cdb2bad9582d23c1f6f4d868218d6c

          SHA1

          b04f3ee8f5e43fa3b162981b50bb72fe1acabb33

          SHA256

          8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85

          SHA512

          5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

        • C:\Users\Admin\AppData\Local\Temp\RES32D4.tmp

          Filesize

          1KB

          MD5

          975e1493ed186f5c28e1fa8b22ffdb35

          SHA1

          9e850987523aedcf91615df02fe53011f904159f

          SHA256

          acd79f0eaf1c9c71bd0efe2d120c1e01c52547440baab92c6e39dfdadffec584

          SHA512

          cc50361e26e283ece619b3ce4d4349a4e977919a306d26a006557960c7189b1d6e02bedca41f40f6b07e25e17e18b02ddd277fed5fd9aeb24ada558297ad662b

        • C:\Users\Admin\AppData\Local\Temp\uj3osc1l.dll

          Filesize

          3KB

          MD5

          1dec73136e07a111751becad7e683da0

          SHA1

          02014c3ebdbf3bd8faca26f04dadb9365c9d662c

          SHA256

          720bf989e81b4c839b03be09578518fcb5ec016a4f7600a6499c26892cb6955a

          SHA512

          1323d7256d6920f1d60044588543490f3eae0b9f1897538472d71152548409945a9e401d6e6512c164ba03df0bb0ecac554a9f29d9ad8c6652d29cfbe14214d2

        • C:\Users\Admin\AppData\Local\Temp\uj3osc1l.pdb

          Filesize

          11KB

          MD5

          c9c5d6885c9065ddcb2eb88dca999b81

          SHA1

          88ed263b4ccc599204e0b2fd238deecdf75fd99f

          SHA256

          c59fb470d7ee43f4da5b09b579d0b807463acf400f00488cf0456ce91d6bf667

          SHA512

          40f2f0fcbb58ef391c9927f683f6a70a376ad5c2637f98a50823ae7bb0bd4832c7ae076299ffc95d8572aa2b283f141b94eb960b8da46af6ba7ac144afec1c82

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

          Filesize

          7KB

          MD5

          1f579ff27f26fff7ea3d2c1552dac5b4

          SHA1

          db47575d2ffbbe063bffa25683054472d283e931

          SHA256

          3766314ecb365b907986e1874526c5a73861c77f7ad5b0843bb4f7be712b3327

          SHA512

          b695920642371a763cea45292e544f9d57a01ababdf1561154d3bb24af3b2a46160c5d1b8a38a826271fa654ddd07f8f59df62a67a6416c38980bc64290b2961

        • \??\c:\Users\Admin\AppData\Local\Temp\CSC32D3.tmp

          Filesize

          652B

          MD5

          eeeed9d083f6893f2edd7d61d763fd59

          SHA1

          ec8a1f08ff56c5dfe63b329cbe77f55158f8e3ad

          SHA256

          b3e659c57a7524099881b9e65cae4404ae0eb541e07626dcda69a0188cbda416

          SHA512

          98995373a613b4c639db59bc956c713ce48a5c847142d418c6c94a3e8197dad3120f7678dd5c86863938c9bab34f8ff4a6d15c5c30c7d8304467dc6d23d4cd06

        • \??\c:\Users\Admin\AppData\Local\Temp\uj3osc1l.0.cs

          Filesize

          426B

          MD5

          b462a7b0998b386a2047c941506f7c1b

          SHA1

          61e8aa007164305a51fa2f1cebaf3f8e60a6a59f

          SHA256

          a81f86cd4d33ebbf2b725df6702b8f6b3c31627bf52eb1cadc1e40b1c0c2bb35

          SHA512

          eb41b838cc5726f4d1601d3c68d455203d3c23f17469b3c8cbdd552f479f14829856d699f310dec05fe7504a2ae511d0b7ffff6b66ceadb5a225efe3e2f3a020

        • \??\c:\Users\Admin\AppData\Local\Temp\uj3osc1l.cmdline

          Filesize

          309B

          MD5

          a63fc612aa2f620d2acb25bf455565e3

          SHA1

          2d455a1f46b027f0dfa4b2e3fe76d233e2b6c1b1

          SHA256

          322f1026c1c1c73672f72a54759aa54279a54424fa31f2ff3d2b3b9393bd5296

          SHA512

          d4431eff4f847be9e38170447d1cbf647340ece60cd2b7534eaa33d3e6f5c079f11d067b530118f51a302f9bf2dfb8c690d62efd9ed92714a44b884504300807

        • \Users\Admin\AppData\Local\Temp\92e4b02e-2aa9-454b-bb24-ffc61f59e499.tmp.node

          Filesize

          1.4MB

          MD5

          56192831a7f808874207ba593f464415

          SHA1

          e0c18c72a62692d856da1f8988b0bc9c8088d2aa

          SHA256

          6aa8763714aa5199a4065259af792292c2a7d6a2c381aa27007255421e5c9d8c

          SHA512

          c82aa1ef569c232b4b4f98a3789f2390e5f7bf5cc7e73d199fe23a3f636817edfdc2fb49ce7f69169c028a9dd5ab9f63e8f64964bb22424fc08db71e85054a33

        • memory/1604-45-0x0000000000060000-0x0000000000061000-memory.dmp

          Filesize

          4KB

        • memory/1604-78-0x0000000077260000-0x0000000077261000-memory.dmp

          Filesize

          4KB

        • memory/2716-11-0x0000000002860000-0x0000000002868000-memory.dmp

          Filesize

          32KB

        • memory/2716-35-0x0000000002A10000-0x0000000002A18000-memory.dmp

          Filesize

          32KB

        • memory/2716-10-0x000000001B770000-0x000000001BA52000-memory.dmp

          Filesize

          2.9MB