Analysis

  • max time kernel
    142s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-06-2024 19:50

General

  • Target

    ShadowGen By ShadowOxygen/ShadowGen By ShadowOxygen.exe

  • Size

    376KB

  • MD5

    c1ac94132be0253db034baa60428b959

  • SHA1

    920103cd37dae1ff8caad58968ef4ac4002ab712

  • SHA256

    54f2e8ed694b3d25aa2ae6b5ffd1bcf5fdda393bd88d9f775baab626ff664bf1

  • SHA512

    6917f1d66edef06840ed15dc7889e5686c323842b4de243e6c18467a598a90286943d0c2bcc26cec178020e6db3c3afa4349b40513821371c5aa78a014c30f7a

  • SSDEEP

    6144:hfKFwAw4ieq+cDguYTu08bPBhukn7HMeEW3/tAOQ1QVa6YeFguo/rQaVriv:hfKFwAwTt+wguYTuvbPB0kD+16Ye1o/7

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ShadowGen By ShadowOxygen\ShadowGen By ShadowOxygen.exe
    "C:\Users\Admin\AppData\Local\Temp\ShadowGen By ShadowOxygen\ShadowGen By ShadowOxygen.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3232
    • C:\ProgramData\vshost\vshost.exe
      C:\ProgramData\\vshost\\vshost.exe ,.
      2⤵
      • Executes dropped EXE
      PID:5112
    • C:\Users\Admin\AppData\Local\Temp\ShadowGen By ShadowOxygen\CefSharp.dll
      CefSharp.dll
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3616
      • C:\Users\Admin\AppData\Local\Temp\ShadowGen By ShadowOxygen\CefSharp.dll
        CefSharp.dll
        3⤵
        • Loads dropped DLL
        • Suspicious use of AdjustPrivilegeToken
        PID:3240
    • C:\ProgramData\winst\winst.exe
      C:\ProgramData\\winst\\winst.exe 9tn6yvCjmsn0UaWTmqwuMxUMqEtdw9bXkWTvD9SppOxWsbvoXT5APdOsBk3x0sb5
      2⤵
      • Executes dropped EXE
      PID:3708
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1036 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:4408

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\vshost\vshost.exe

      Filesize

      238KB

      MD5

      4e6a7ee0e286ab61d36c26bd38996821

      SHA1

      820674b4c75290f8f667764bfb474ca8c1242732

      SHA256

      f67daf4bf2ad0e774bbd53f243e66806397036e5fde694f3856b27bc0463c0a3

      SHA512

      f9d99d960afce980421e654d1d541c1fdb81252615c48eed5c4a5c962cb20123d06dbdf383a37a476aa41e4ffabca30e95a8735739c35f66efbaa1dee8a9ba8a

    • C:\ProgramData\winst\winst.exe

      Filesize

      211KB

      MD5

      59238144771807b1cbc407b250d6b2c3

      SHA1

      6c9f87cca7e857e888cb19ea45cf82d2e2d29695

      SHA256

      8baa5811836c0b4a64810f6a7d6e1d31d7f80350c69643dc9594f58fd0233a7b

      SHA512

      cf2f8b84526ae8a1445a2d8a2b9099b164f80a7b7290f68058583b0b235395d749ad0b726c4e36d5e901c18d6946fd9b0dd76c20016b65dc7a3977f68ee4a220

    • C:\Users\Admin\AppData\Local\Temp\_MEI36162\VCRUNTIME140.dll

      Filesize

      87KB

      MD5

      0e675d4a7a5b7ccd69013386793f68eb

      SHA1

      6e5821ddd8fea6681bda4448816f39984a33596b

      SHA256

      bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1

      SHA512

      cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66

    • C:\Users\Admin\AppData\Local\Temp\_MEI36162\_ctypes.pyd

      Filesize

      129KB

      MD5

      2f21f50d2252e3083555a724ca57b71e

      SHA1

      49ec351d569a466284b8cc55ee9aeaf3fbf20099

      SHA256

      09887f07f4316057d3c87e3a907c2235dc6547e54ed4f5f9125f99e547d58bce

      SHA512

      e71ff1e63105f51a4516498cd09f8156d7208758c5dc9a74e7654844e5cefc6e84f8fe98a1f1bd7a459a98965fbe913cb5edb552fffa1e33dfda709f918dddeb

    • C:\Users\Admin\AppData\Local\Temp\_MEI36162\_hashlib.pyd

      Filesize

      38KB

      MD5

      c3b19ad5381b9832e313a448de7c5210

      SHA1

      51777d53e1ea5592efede1ed349418345b55f367

      SHA256

      bdf4a536f783958357d2e0055debdc3cf7790ee28beb286452eec0354a346bdc

      SHA512

      7f8d3b79a58612e850d18e8952d14793e974483c688b5daee217baaa83120fd50d1e036ca4a1b59d748b22951744377257d2a8f094a4b4de1f79fecd4bf06afb

    • C:\Users\Admin\AppData\Local\Temp\_MEI36162\base_library.zip

      Filesize

      760KB

      MD5

      057917a14cf42e6a27902be13bf1b5af

      SHA1

      c1e2437235b002a77f88fe7938b4bef560499739

      SHA256

      be8e5189ce4183ef24cbc06c8db98f7da16b9b236e6375450b688bd51fedf224

      SHA512

      31951fa321971a8a273cdbf0f9c7fae7b4f9880d2b7ab64e324562b5fa0650c053db099b760cc3cfe4033296bb7b26cb7d3d94f5bac3b50d3afce8a3d01a3cb8

    • C:\Users\Admin\AppData\Local\Temp\_MEI36162\libcrypto-1_1-x64.dll

      Filesize

      2.4MB

      MD5

      022a61849adab67e3a59bcf4d0f1c40b

      SHA1

      fca2e1e8c30767c88f7ab5b42fe2bd9abb644672

      SHA256

      2a57183839c3e9cc4618fb1994c40e47672a8b6daffaa76c5f89cf2542b02c2f

      SHA512

      94ac596181f0887af7bf02a7ce31327ad443bb7fe2d668217953e0f0c782d19296a80de965008118708afd9bda14fd8c78f49785ebf7abcc37d166b692e88246

    • C:\Users\Admin\AppData\Local\Temp\_MEI36162\python37.dll

      Filesize

      3.7MB

      MD5

      62125a78b9be5ac58c3b55413f085028

      SHA1

      46c643f70dd3b3e82ab4a5d1bc979946039e35b2

      SHA256

      17c29e6188b022f795092d72a1fb58630a7c723d70ac5bc3990b20cd2eb2a51f

      SHA512

      e63f4aa8fc5cd1569ae401e283bc8e1445859131eb0db76581b941f1085670c549cbc3fedf911a21c1237b0f3f66f62b10c60e88b923fa058f7fafee18dd0fa4