Analysis

  • max time kernel
    150s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    03-06-2024 09:47

General

  • Target

    Shaderify.exe

  • Size

    120.4MB

  • MD5

    2776d64baf7179ce926864738c2e8939

  • SHA1

    b55826db4d6ca723869256b97af48761950677a0

  • SHA256

    287b3a16f8e654deb64eb2fd9039803de16a81d17f55a140814ce7dda7f56d96

  • SHA512

    b397926546ad482ab45a65cabb4668997ac0553786c98e8b1cc09cf4706378b8a8b53a30f27665ebbfc84bb66422c36b152a644be4438ba313714703d7cdc7b2

  • SSDEEP

    1572864:o1f0+Sva7Hdp1Nhn+aCdrvdYrZ/7/lbg8udR8SnuSE49z:Nasulbg8yTnbEOz

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs
  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Shaderify.exe
    "C:\Users\Admin\AppData\Local\Temp\Shaderify.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2400
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2580
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2700
        • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
          "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yiuunn7z.cmdline"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2524
          • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
            C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES148B.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC148A.tmp"
            5⤵
              PID:2976
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /d /s /c "tasklist"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2664
        • C:\Windows\system32\tasklist.exe
          tasklist
          3⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:2696
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,113,200,52,246,139,142,208,68,160,175,218,80,251,197,138,112,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,218,162,196,100,79,46,247,43,217,118,222,116,251,4,213,64,178,43,144,201,143,84,6,167,161,16,184,2,218,100,6,37,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,100,89,159,103,187,12,163,9,4,119,168,98,242,147,43,71,19,135,20,13,210,153,26,145,154,126,126,225,90,152,72,193,48,0,0,0,62,121,66,123,38,21,143,132,144,20,232,210,124,88,47,113,66,244,120,173,86,199,149,89,12,113,16,137,6,76,252,198,210,167,186,20,136,163,153,105,122,69,104,179,88,170,105,11,64,0,0,0,107,147,246,161,81,84,201,129,253,138,140,188,66,116,33,146,239,68,29,223,253,252,255,164,100,122,38,103,192,186,98,247,212,97,214,254,62,192,238,229,238,249,192,211,109,103,83,61,3,234,41,120,50,228,215,189,93,49,251,72,228,234,237,149), $null, 'CurrentUser')"
        2⤵
        • An obfuscated cmd.exe command-line is typically used to evade detection.
        • Suspicious use of WriteProcessMemory
        PID:2532
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,113,200,52,246,139,142,208,68,160,175,218,80,251,197,138,112,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,218,162,196,100,79,46,247,43,217,118,222,116,251,4,213,64,178,43,144,201,143,84,6,167,161,16,184,2,218,100,6,37,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,100,89,159,103,187,12,163,9,4,119,168,98,242,147,43,71,19,135,20,13,210,153,26,145,154,126,126,225,90,152,72,193,48,0,0,0,62,121,66,123,38,21,143,132,144,20,232,210,124,88,47,113,66,244,120,173,86,199,149,89,12,113,16,137,6,76,252,198,210,167,186,20,136,163,153,105,122,69,104,179,88,170,105,11,64,0,0,0,107,147,246,161,81,84,201,129,253,138,140,188,66,116,33,146,239,68,29,223,253,252,255,164,100,122,38,103,192,186,98,247,212,97,214,254,62,192,238,229,238,249,192,211,109,103,83,61,3,234,41,120,50,228,215,189,93,49,251,72,228,234,237,149), $null, 'CurrentUser')
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2472
      • C:\Users\Admin\AppData\Local\Temp\Shaderify.exe
        "C:\Users\Admin\AppData\Local\Temp\Shaderify.exe" --type=gpu-process --field-trial-handle=1188,13637512085350316135,4677928392725463459,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1204 /prefetch:2
        2⤵
          PID:2436
        • C:\Users\Admin\AppData\Local\Temp\Shaderify.exe
          "C:\Users\Admin\AppData\Local\Temp\Shaderify.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1188,13637512085350316135,4677928392725463459,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1616 /prefetch:8
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:1772
        • C:\Users\Admin\AppData\Local\Temp\Shaderify.exe
          "C:\Users\Admin\AppData\Local\Temp\Shaderify.exe" --type=gpu-process --field-trial-handle=1188,13637512085350316135,4677928392725463459,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=1344 /prefetch:2
          2⤵
            PID:1796

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\edge\Updater\Get-Clipboard.ps1

          Filesize

          3KB

          MD5

          52cc110bb3777aa6bba7900630d4eb49

          SHA1

          3663dc658fd13d407e49781d1a5c2aa203c252fc

          SHA256

          892a9edb03db3fd88fecc1e1a2f56a7339f16f6734e8d77e6538ea2c8c9026d6

          SHA512

          89b80d2783e902d68ffd08b6f3fb1848ae6e6c4bf2d7a1e4afdac970b2ee6ffcc58116cdd6234e3d6278eb9413d36aafe62b5beca24a0846575d12af0c5112ab

        • C:\Users\Admin\AppData\Local\Temp\Admincookies.zip

          Filesize

          22B

          MD5

          76cdb2bad9582d23c1f6f4d868218d6c

          SHA1

          b04f3ee8f5e43fa3b162981b50bb72fe1acabb33

          SHA256

          8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85

          SHA512

          5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

        • C:\Users\Admin\AppData\Local\Temp\RES148B.tmp

          Filesize

          1KB

          MD5

          be5c1091f833d25c9bb9521b87a39b18

          SHA1

          06e3edef9a37957b2584477e1adecea89e35b972

          SHA256

          6174c5ae01b7bd0372fe3dd2f2d135dcb8dca09e6584ccc800027fec6f34a5f3

          SHA512

          ee3c87d4d3d935e51acd7cf9bb845971085851b3a596c3f53f1c8bb15d55c2d6ec9308ba697ad1991cf3160a4df21ad2fce1bc4a958ea051c4554b66a2fd0e77

        • C:\Users\Admin\AppData\Local\Temp\yiuunn7z.dll

          Filesize

          3KB

          MD5

          c887ac1198786b51fe161467b14552db

          SHA1

          c7d640d9c53167b66aa899e147f67ed58510f964

          SHA256

          6ea1c0338fee8cfab6c1adef2cd047266a35248c1baeebc6e57697f103012cf2

          SHA512

          9b430bc0b0884f618e9eeb07b326bfc0d4811c9b99b86f54850360474de1b0fb534d9137c996b24276bb49d9e30260a36b1ae7abc281acc8cc8a900bf75406fa

        • C:\Users\Admin\AppData\Local\Temp\yiuunn7z.pdb

          Filesize

          11KB

          MD5

          960b7e688c1122b39ae7806ef397e71c

          SHA1

          f12583e1dc984f2bc8fe9524615a5fe6d8bbf3ca

          SHA256

          b2c4cbf77c2f05d2957e784c2196254b989e238477c06828b5f20ebdd2187ef3

          SHA512

          a398381fb41f1493e3bfd4d622ae74f9c0253f45b0e2a1a3456c6fa843c361a908ad5190842e34c9718631a989fa69ded76963b960b8ff83fa4e686b494125c0

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

          Filesize

          7KB

          MD5

          d78164ff249c6a75248c9e658466420d

          SHA1

          fe9e1fc05cd06434260139842c92827fea96a863

          SHA256

          bf447616c34c1e62f7b4f3bac2e45ea3cd7c5722a2346c7df4a1c1fad26b1919

          SHA512

          f1f980254587c92a1b529812f669a65584557d47f002ae5d90db35c01389a61f288e04a11db6051b2df1fd30d3b0cae6a09a7e5ef00483932c757015fe879fd5

        • \??\c:\Users\Admin\AppData\Local\Temp\CSC148A.tmp

          Filesize

          652B

          MD5

          2caf5b867d97fde2fb204a44ea96597b

          SHA1

          fb0871744ef7c0d68f3b89f451396f815a25efb1

          SHA256

          3432356fa8d820d3f2e6c406617ff23c435878e6bdee9f811d1350e848723dd9

          SHA512

          9ecd7be3370f1b7db63d542e897f03966ca8233f3f343cddb7798b79ec04c2e92f014cd326a62c357dd7fbead66400b0f5667a0ecf509aa6642a2aef1d62cfe7

        • \??\c:\Users\Admin\AppData\Local\Temp\yiuunn7z.0.cs

          Filesize

          426B

          MD5

          b462a7b0998b386a2047c941506f7c1b

          SHA1

          61e8aa007164305a51fa2f1cebaf3f8e60a6a59f

          SHA256

          a81f86cd4d33ebbf2b725df6702b8f6b3c31627bf52eb1cadc1e40b1c0c2bb35

          SHA512

          eb41b838cc5726f4d1601d3c68d455203d3c23f17469b3c8cbdd552f479f14829856d699f310dec05fe7504a2ae511d0b7ffff6b66ceadb5a225efe3e2f3a020

        • \??\c:\Users\Admin\AppData\Local\Temp\yiuunn7z.cmdline

          Filesize

          309B

          MD5

          b853a11392267add066748e37bd1059a

          SHA1

          983ca4dc4c5595e7bb36a414c3c4c33705012960

          SHA256

          8af06cd156b7867f5c4ddb4f322ae3a5084be22b0a9a8e00dbecdfc5dd128cef

          SHA512

          7d27480eea222c77ada289c64f698665d5a5d4f3f0e615ff89f4d016d85c4ab0b92edddaa326f2e82a635a5fca3485439f84be9c026d34946b57dd753b674cd1

        • \Users\Admin\AppData\Local\Temp\da0c7e02-143d-474d-9be6-e6dcff0d74cf.tmp.node

          Filesize

          1.4MB

          MD5

          56192831a7f808874207ba593f464415

          SHA1

          e0c18c72a62692d856da1f8988b0bc9c8088d2aa

          SHA256

          6aa8763714aa5199a4065259af792292c2a7d6a2c381aa27007255421e5c9d8c

          SHA512

          c82aa1ef569c232b4b4f98a3789f2390e5f7bf5cc7e73d199fe23a3f636817edfdc2fb49ce7f69169c028a9dd5ab9f63e8f64964bb22424fc08db71e85054a33

        • memory/2436-75-0x0000000076E80000-0x0000000076E81000-memory.dmp

          Filesize

          4KB

        • memory/2436-43-0x0000000000060000-0x0000000000061000-memory.dmp

          Filesize

          4KB

        • memory/2700-11-0x0000000002910000-0x0000000002918000-memory.dmp

          Filesize

          32KB

        • memory/2700-33-0x0000000002B60000-0x0000000002B68000-memory.dmp

          Filesize

          32KB

        • memory/2700-10-0x000000001B530000-0x000000001B812000-memory.dmp

          Filesize

          2.9MB