Overview
overview
7Static
static
3ShadowGen ...rp.exe
windows7-x64
7ShadowGen ...rp.exe
windows11-21h2-x64
7shadowgen.pyc
windows10-2004-x64
3shadowgen.pyc
windows11-21h2-x64
3ShadowGen ...et.dll
windows10-1703-x64
1ShadowGen ...et.dll
windows11-21h2-x64
1ShadowGen ...en.exe
windows10-2004-x64
7ShadowGen ...en.exe
windows11-21h2-x64
7ShadowGen ...er.dll
windows7-x64
1ShadowGen ...er.dll
windows11-21h2-x64
1ShadowGen ...it.dll
windows10-1703-x64
1ShadowGen ...it.dll
windows11-21h2-x64
1ShadowGen ...32.exe
windows10-1703-x64
1ShadowGen ...32.exe
windows11-21h2-x64
1ShadowGen ...ef.exe
windows7-x64
1ShadowGen ...ef.exe
windows11-21h2-x64
1ShadowGen ...32.dll
windows10-1703-x64
1ShadowGen ...32.dll
windows11-21h2-x64
1ShadowGen ...oc.dll
windows11-21h2-x64
1ShadowGen ...oc.dll
windows11-21h2-x64
1Analysis
-
max time kernel
89s -
max time network
100s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system -
submitted
03-06-2024 19:50
Behavioral task
behavioral1
Sample
ShadowGen By ShadowOxygen/CefSharp.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
ShadowGen By ShadowOxygen/CefSharp.exe
Resource
win11-20240426-en
Behavioral task
behavioral3
Sample
shadowgen.pyc
Resource
win10v2004-20240426-en
Behavioral task
behavioral4
Sample
shadowgen.pyc
Resource
win11-20240508-en
Behavioral task
behavioral5
Sample
ShadowGen By ShadowOxygen/Extreme.Net.dll
Resource
win10-20240404-en
Behavioral task
behavioral6
Sample
ShadowGen By ShadowOxygen/Extreme.Net.dll
Resource
win11-20240508-en
Behavioral task
behavioral7
Sample
ShadowGen By ShadowOxygen/ShadowGen By ShadowOxygen.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral8
Sample
ShadowGen By ShadowOxygen/ShadowGen By ShadowOxygen.exe
Resource
win11-20240426-en
Behavioral task
behavioral9
Sample
ShadowGen By ShadowOxygen/WebDriver.dll
Resource
win7-20240508-en
Behavioral task
behavioral10
Sample
ShadowGen By ShadowOxygen/WebDriver.dll
Resource
win11-20240508-en
Behavioral task
behavioral11
Sample
ShadowGen By ShadowOxygen/Xceed.Wpf.Toolkit.dll
Resource
win10-20240404-en
Behavioral task
behavioral12
Sample
ShadowGen By ShadowOxygen/Xceed.Wpf.Toolkit.dll
Resource
win11-20240426-en
Behavioral task
behavioral13
Sample
ShadowGen By ShadowOxygen/bin32.exe
Resource
win10-20240404-en
Behavioral task
behavioral14
Sample
ShadowGen By ShadowOxygen/bin32.exe
Resource
win11-20240419-en
Behavioral task
behavioral15
Sample
ShadowGen By ShadowOxygen/libcef.exe
Resource
win7-20240508-en
Behavioral task
behavioral16
Sample
ShadowGen By ShadowOxygen/libcef.exe
Resource
win11-20240508-en
Behavioral task
behavioral17
Sample
ShadowGen By ShadowOxygen/msacm32.dll
Resource
win10-20240404-en
Behavioral task
behavioral18
Sample
ShadowGen By ShadowOxygen/msacm32.dll
Resource
win11-20240508-en
Behavioral task
behavioral19
Sample
ShadowGen By ShadowOxygen/secproc.dll
Resource
win11-20240426-en
Behavioral task
behavioral20
Sample
ShadowGen By ShadowOxygen/secproc.dll
Resource
win11-20240508-en
General
-
Target
ShadowGen By ShadowOxygen/ShadowGen By ShadowOxygen.exe
-
Size
376KB
-
MD5
c1ac94132be0253db034baa60428b959
-
SHA1
920103cd37dae1ff8caad58968ef4ac4002ab712
-
SHA256
54f2e8ed694b3d25aa2ae6b5ffd1bcf5fdda393bd88d9f775baab626ff664bf1
-
SHA512
6917f1d66edef06840ed15dc7889e5686c323842b4de243e6c18467a598a90286943d0c2bcc26cec178020e6db3c3afa4349b40513821371c5aa78a014c30f7a
-
SSDEEP
6144:hfKFwAw4ieq+cDguYTu08bPBhukn7HMeEW3/tAOQ1QVa6YeFguo/rQaVriv:hfKFwAwTt+wguYTuvbPB0kD+16Ye1o/7
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
vshost.exewinst.exepid Process 2584 vshost.exe 1576 winst.exe -
Loads dropped DLL 5 IoCs
Processes:
CefSharp.dllpid Process 3148 CefSharp.dll 3148 CefSharp.dll 3148 CefSharp.dll 3148 CefSharp.dll 3148 CefSharp.dll -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
CefSharp.dlldescription pid Process Token: 35 3148 CefSharp.dll -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
ShadowGen By ShadowOxygen.exeCefSharp.dlldescription pid Process procid_target PID 3124 wrote to memory of 2584 3124 ShadowGen By ShadowOxygen.exe 78 PID 3124 wrote to memory of 2584 3124 ShadowGen By ShadowOxygen.exe 78 PID 3124 wrote to memory of 2584 3124 ShadowGen By ShadowOxygen.exe 78 PID 3124 wrote to memory of 3120 3124 ShadowGen By ShadowOxygen.exe 79 PID 3124 wrote to memory of 3120 3124 ShadowGen By ShadowOxygen.exe 79 PID 3124 wrote to memory of 1576 3124 ShadowGen By ShadowOxygen.exe 80 PID 3124 wrote to memory of 1576 3124 ShadowGen By ShadowOxygen.exe 80 PID 3124 wrote to memory of 1576 3124 ShadowGen By ShadowOxygen.exe 80 PID 3120 wrote to memory of 3148 3120 CefSharp.dll 81 PID 3120 wrote to memory of 3148 3120 CefSharp.dll 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\ShadowGen By ShadowOxygen\ShadowGen By ShadowOxygen.exe"C:\Users\Admin\AppData\Local\Temp\ShadowGen By ShadowOxygen\ShadowGen By ShadowOxygen.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3124 -
C:\ProgramData\vshost\vshost.exeC:\ProgramData\\vshost\\vshost.exe ,.2⤵
- Executes dropped EXE
PID:2584
-
-
C:\Users\Admin\AppData\Local\Temp\ShadowGen By ShadowOxygen\CefSharp.dllCefSharp.dll2⤵
- Suspicious use of WriteProcessMemory
PID:3120 -
C:\Users\Admin\AppData\Local\Temp\ShadowGen By ShadowOxygen\CefSharp.dllCefSharp.dll3⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3148
-
-
-
C:\ProgramData\winst\winst.exeC:\ProgramData\\winst\\winst.exe pqD7ns3fFQLecdPnq54jrnAkrqhcPabFqf510oFIPQFmrymjiCMGDaBrcOTkTSSJ2⤵
- Executes dropped EXE
PID:1576
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
238KB
MD54e6a7ee0e286ab61d36c26bd38996821
SHA1820674b4c75290f8f667764bfb474ca8c1242732
SHA256f67daf4bf2ad0e774bbd53f243e66806397036e5fde694f3856b27bc0463c0a3
SHA512f9d99d960afce980421e654d1d541c1fdb81252615c48eed5c4a5c962cb20123d06dbdf383a37a476aa41e4ffabca30e95a8735739c35f66efbaa1dee8a9ba8a
-
Filesize
211KB
MD559238144771807b1cbc407b250d6b2c3
SHA16c9f87cca7e857e888cb19ea45cf82d2e2d29695
SHA2568baa5811836c0b4a64810f6a7d6e1d31d7f80350c69643dc9594f58fd0233a7b
SHA512cf2f8b84526ae8a1445a2d8a2b9099b164f80a7b7290f68058583b0b235395d749ad0b726c4e36d5e901c18d6946fd9b0dd76c20016b65dc7a3977f68ee4a220
-
Filesize
87KB
MD50e675d4a7a5b7ccd69013386793f68eb
SHA16e5821ddd8fea6681bda4448816f39984a33596b
SHA256bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1
SHA512cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66
-
Filesize
129KB
MD52f21f50d2252e3083555a724ca57b71e
SHA149ec351d569a466284b8cc55ee9aeaf3fbf20099
SHA25609887f07f4316057d3c87e3a907c2235dc6547e54ed4f5f9125f99e547d58bce
SHA512e71ff1e63105f51a4516498cd09f8156d7208758c5dc9a74e7654844e5cefc6e84f8fe98a1f1bd7a459a98965fbe913cb5edb552fffa1e33dfda709f918dddeb
-
Filesize
38KB
MD5c3b19ad5381b9832e313a448de7c5210
SHA151777d53e1ea5592efede1ed349418345b55f367
SHA256bdf4a536f783958357d2e0055debdc3cf7790ee28beb286452eec0354a346bdc
SHA5127f8d3b79a58612e850d18e8952d14793e974483c688b5daee217baaa83120fd50d1e036ca4a1b59d748b22951744377257d2a8f094a4b4de1f79fecd4bf06afb
-
Filesize
760KB
MD5057917a14cf42e6a27902be13bf1b5af
SHA1c1e2437235b002a77f88fe7938b4bef560499739
SHA256be8e5189ce4183ef24cbc06c8db98f7da16b9b236e6375450b688bd51fedf224
SHA51231951fa321971a8a273cdbf0f9c7fae7b4f9880d2b7ab64e324562b5fa0650c053db099b760cc3cfe4033296bb7b26cb7d3d94f5bac3b50d3afce8a3d01a3cb8
-
Filesize
2.4MB
MD5022a61849adab67e3a59bcf4d0f1c40b
SHA1fca2e1e8c30767c88f7ab5b42fe2bd9abb644672
SHA2562a57183839c3e9cc4618fb1994c40e47672a8b6daffaa76c5f89cf2542b02c2f
SHA51294ac596181f0887af7bf02a7ce31327ad443bb7fe2d668217953e0f0c782d19296a80de965008118708afd9bda14fd8c78f49785ebf7abcc37d166b692e88246
-
Filesize
3.7MB
MD562125a78b9be5ac58c3b55413f085028
SHA146c643f70dd3b3e82ab4a5d1bc979946039e35b2
SHA25617c29e6188b022f795092d72a1fb58630a7c723d70ac5bc3990b20cd2eb2a51f
SHA512e63f4aa8fc5cd1569ae401e283bc8e1445859131eb0db76581b941f1085670c549cbc3fedf911a21c1237b0f3f66f62b10c60e88b923fa058f7fafee18dd0fa4