Overview

overview

10

Static

static

10

shakeyodick.exe

windows7-x64

10

shakeyodick.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-09-2024 02:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    shakeyodick.exe

  • Size

    93KB

  • MD5

    a535dad10d6cd4f4c2511f63fb158aeb

  • SHA1

    cd7be9d3482a016e0f72c5ba387f33a96294641a

  • SHA256

    615cce712299d6ba862286d4a7ea94f765b44f2f05b5d4f02046beba8b3791a3

  • SHA512

    16037d0cbafe06314534cb17f3e72b19f28acfa1828ac66949d162e046b92b61892d66322c24a57859657dc587c8f6bacaa7c13c73e89d721b6ab966c0b13f89

  • SSDEEP

    1536:E+AYtSUFKnOr70txlZbgoGXejEwzGi1dDnDugS:E+tdKnOr70txIXni1dPT

Score
8/10
discoveryevasionpersistenceprivilege_escalation

Malware Config

Signatures

  • Disables Task Manager via registry modification
    evasion
  • Modifies Windows Firewall 2 TTPs 24 IoCs
    evasion
  • Checks computer location settings 2 TTPs 17 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 27 IoCs
  • Executes dropped EXE 17 IoCs
  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 64 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 42 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 48 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\shakeyodick.exe
    "C:\Users\Admin\AppData\Local\Temp\shakeyodick.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4840
    • C:\Users\Admin\AppData\Local\Temp\server.exe
      "C:\Users\Admin\AppData\Local\Temp\server.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Drops autorun.inf file
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2368
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        3⤵
        • Modifies Windows Firewall
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:1252
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        3⤵
        • Modifies Windows Firewall
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:744
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        3⤵
        • Modifies Windows Firewall
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:2404
      • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4404
        • C:\Users\Admin\AppData\Local\Temp\server.exe
          "C:\Users\Admin\AppData\Local\Temp\server.exe"
          4⤵
          • Checks computer location settings
          • Drops startup file
          • Executes dropped EXE
          • Drops file in System32 directory
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2704
          • C:\Windows\SysWOW64\netsh.exe
            netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
            5⤵
            • Modifies Windows Firewall
            • Event Triggered Execution: Netsh Helper DLL
            • System Location Discovery: System Language Discovery
            PID:404
          • C:\Windows\SysWOW64\netsh.exe
            netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
            5⤵
            • Modifies Windows Firewall
            • Event Triggered Execution: Netsh Helper DLL
            • System Location Discovery: System Language Discovery
            PID:3832
          • C:\Windows\SysWOW64\netsh.exe
            netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
            5⤵
            • Modifies Windows Firewall
            • Event Triggered Execution: Netsh Helper DLL
            • System Location Discovery: System Language Discovery
            PID:3896
          • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
            "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3152
            • C:\Users\Admin\AppData\Local\Temp\server.exe
              "C:\Users\Admin\AppData\Local\Temp\server.exe"
              6⤵
              • Checks computer location settings
              • Drops startup file
              • Executes dropped EXE
              • Drops file in System32 directory
              • Drops file in Program Files directory
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:4516
              • C:\Windows\SysWOW64\netsh.exe
                netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                7⤵
                • Modifies Windows Firewall
                • Event Triggered Execution: Netsh Helper DLL
                • System Location Discovery: System Language Discovery
                PID:1640
              • C:\Windows\SysWOW64\netsh.exe
                netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                7⤵
                • Modifies Windows Firewall
                • Event Triggered Execution: Netsh Helper DLL
                • System Location Discovery: System Language Discovery
                PID:3428
              • C:\Windows\SysWOW64\netsh.exe
                netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                7⤵
                • Modifies Windows Firewall
                • Event Triggered Execution: Netsh Helper DLL
                • System Location Discovery: System Language Discovery
                PID:2124
              • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                7⤵
                • Checks computer location settings
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:212
                • C:\Users\Admin\AppData\Local\Temp\server.exe
                  "C:\Users\Admin\AppData\Local\Temp\server.exe"
                  8⤵
                  • Checks computer location settings
                  • Drops startup file
                  • Executes dropped EXE
                  • Drops file in System32 directory
                  • Drops file in Program Files directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious behavior: GetForegroundWindowSpam
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:744
                  • C:\Windows\SysWOW64\netsh.exe
                    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                    9⤵
                    • Modifies Windows Firewall
                    • Event Triggered Execution: Netsh Helper DLL
                    • System Location Discovery: System Language Discovery
                    PID:2396
                  • C:\Windows\SysWOW64\netsh.exe
                    netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                    9⤵
                    • Modifies Windows Firewall
                    • Event Triggered Execution: Netsh Helper DLL
                    • System Location Discovery: System Language Discovery
                    PID:4812
                  • C:\Windows\SysWOW64\netsh.exe
                    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                    9⤵
                    • Modifies Windows Firewall
                    • Event Triggered Execution: Netsh Helper DLL
                    • System Location Discovery: System Language Discovery
                    PID:32
                  • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                    "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                    9⤵
                    • Checks computer location settings
                    • Executes dropped EXE
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of WriteProcessMemory
                    PID:1924
                    • C:\Users\Admin\AppData\Local\Temp\server.exe
                      "C:\Users\Admin\AppData\Local\Temp\server.exe"
                      10⤵
                      • Checks computer location settings
                      • Drops startup file
                      • Executes dropped EXE
                      • Drops file in System32 directory
                      • Drops file in Program Files directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious behavior: GetForegroundWindowSpam
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:4344
                      • C:\Windows\SysWOW64\netsh.exe
                        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                        11⤵
                        • Modifies Windows Firewall
                        • Event Triggered Execution: Netsh Helper DLL
                        • System Location Discovery: System Language Discovery
                        PID:4340
                      • C:\Windows\SysWOW64\netsh.exe
                        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                        11⤵
                        • Modifies Windows Firewall
                        • Event Triggered Execution: Netsh Helper DLL
                        • System Location Discovery: System Language Discovery
                        PID:4732
                      • C:\Windows\SysWOW64\netsh.exe
                        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                        11⤵
                        • Modifies Windows Firewall
                        • Event Triggered Execution: Netsh Helper DLL
                        • System Location Discovery: System Language Discovery
                        PID:3152
                      • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                        11⤵
                        • Checks computer location settings
                        • Executes dropped EXE
                        • System Location Discovery: System Language Discovery
                        PID:5012
                        • C:\Users\Admin\AppData\Local\Temp\server.exe
                          "C:\Users\Admin\AppData\Local\Temp\server.exe"
                          12⤵
                          • Checks computer location settings
                          • Drops startup file
                          • Executes dropped EXE
                          • Drops file in System32 directory
                          • Drops file in Program Files directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious behavior: GetForegroundWindowSpam
                          • Suspicious use of AdjustPrivilegeToken
                          PID:3688
                          • C:\Windows\SysWOW64\netsh.exe
                            netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                            13⤵
                            • Modifies Windows Firewall
                            • Event Triggered Execution: Netsh Helper DLL
                            • System Location Discovery: System Language Discovery
                            PID:2508
                          • C:\Windows\SysWOW64\netsh.exe
                            netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                            13⤵
                            • Modifies Windows Firewall
                            • Event Triggered Execution: Netsh Helper DLL
                            • System Location Discovery: System Language Discovery
                            PID:1460
                          • C:\Windows\SysWOW64\netsh.exe
                            netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                            13⤵
                            • Modifies Windows Firewall
                            • Event Triggered Execution: Netsh Helper DLL
                            • System Location Discovery: System Language Discovery
                            PID:1996
                          • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                            "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                            13⤵
                            • Checks computer location settings
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:4048
                            • C:\Users\Admin\AppData\Local\Temp\server.exe
                              "C:\Users\Admin\AppData\Local\Temp\server.exe"
                              14⤵
                              • Checks computer location settings
                              • Drops startup file
                              • Executes dropped EXE
                              • Drops file in System32 directory
                              • Drops file in Program Files directory
                              • System Location Discovery: System Language Discovery
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious behavior: GetForegroundWindowSpam
                              • Suspicious use of AdjustPrivilegeToken
                              PID:2116
                              • C:\Windows\SysWOW64\netsh.exe
                                netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                15⤵
                                • Modifies Windows Firewall
                                • Event Triggered Execution: Netsh Helper DLL
                                • System Location Discovery: System Language Discovery
                                PID:4056
                              • C:\Windows\SysWOW64\netsh.exe
                                netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                15⤵
                                • Modifies Windows Firewall
                                • Event Triggered Execution: Netsh Helper DLL
                                • System Location Discovery: System Language Discovery
                                PID:4008
                              • C:\Windows\SysWOW64\netsh.exe
                                netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                15⤵
                                • Modifies Windows Firewall
                                • Event Triggered Execution: Netsh Helper DLL
                                • System Location Discovery: System Language Discovery
                                PID:4812
                              • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                15⤵
                                • Checks computer location settings
                                • Executes dropped EXE
                                • System Location Discovery: System Language Discovery
                                PID:1924
                                • C:\Users\Admin\AppData\Local\Temp\server.exe
                                  "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                  16⤵
                                  • Checks computer location settings
                                  • Drops startup file
                                  • Executes dropped EXE
                                  • Drops file in System32 directory
                                  • Drops file in Program Files directory
                                  • System Location Discovery: System Language Discovery
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious behavior: GetForegroundWindowSpam
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:2664
                                  • C:\Windows\SysWOW64\netsh.exe
                                    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                    17⤵
                                    • Modifies Windows Firewall
                                    • Event Triggered Execution: Netsh Helper DLL
                                    • System Location Discovery: System Language Discovery
                                    PID:3424
                                  • C:\Windows\SysWOW64\netsh.exe
                                    netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                    17⤵
                                    • Modifies Windows Firewall
                                    • Event Triggered Execution: Netsh Helper DLL
                                    • System Location Discovery: System Language Discovery
                                    PID:1284
                                  • C:\Windows\SysWOW64\netsh.exe
                                    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                    17⤵
                                    • Modifies Windows Firewall
                                    • Event Triggered Execution: Netsh Helper DLL
                                    • System Location Discovery: System Language Discovery
                                    PID:4340
                                  • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                    "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                    17⤵
                                    • Checks computer location settings
                                    • Executes dropped EXE
                                    • System Location Discovery: System Language Discovery
                                    PID:4816
                                    • C:\Users\Admin\AppData\Local\Temp\server.exe
                                      "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                      18⤵
                                      • Executes dropped EXE
                                      • System Location Discovery: System Language Discovery
                                      PID:3612

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\server.exe.log
    Filesize

    496B

    MD5

    a4467dea22bfd7e0083d680c571f5e7c

    SHA1

    59682ca656f04dd57f7ef4552b96f71d73196ea2

    SHA256

    d165b248678c73e289a7d4a8aa74acc5c09408e58b8f2abd668013ca12c00cc4

    SHA512

    73d25a179994c16b2b3a357e8b068ebf415418033cd601d7084b3a44d822cb99c33c396c9a27ad6fa2066748032e21f09ce89461bc3180ec071d2d64e68ad790

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\svchost.exe.log
    Filesize

    408B

    MD5

    661cab77d3b907e8057f2e689e995af3

    SHA1

    5d1a0ee9c5ee7a7a90d56d00c10dc0e679bee01c

    SHA256

    8f27f95ad7c09f2e05d7960e78ef8cd935c1262e9657883a75d70dcb877592d2

    SHA512

    2523b316bd79fed0e9b3d73f46959f3dfe270cf950f34bd9d49fe4113a2ae46d0cd00224d848bc40c0d8c55449e2dccc4b4278ba4809c0ca9ede1ac75673fc67

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\melt.txt
    Filesize

    44B

    MD5

    298802dff6aa26d4fb941c7ccf5c0849

    SHA1

    11e518ca3409f1863ebc2d3f1be9fb701bad52c0

    SHA256

    df99fdbdf7b92b29b1bf1ca4283b4de2e04643b9739d2d1089ab5808e8e5665d

    SHA512

    0301017dfef1b74855d6535f3fd542257689479cb933c2e8742b5b6b94e26107fa38e7fc21bdb83d45184750eced344856092330fb30a1ebbc24b2b9004c8946

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\server.exe
    Filesize

    93KB

    MD5

    a535dad10d6cd4f4c2511f63fb158aeb

    SHA1

    cd7be9d3482a016e0f72c5ba387f33a96294641a

    SHA256

    615cce712299d6ba862286d4a7ea94f765b44f2f05b5d4f02046beba8b3791a3

    SHA512

    16037d0cbafe06314534cb17f3e72b19f28acfa1828ac66949d162e046b92b61892d66322c24a57859657dc587c8f6bacaa7c13c73e89d721b6ab966c0b13f89

    Download Submit

  • C:\Users\Admin\AppData\Roaming\app
    Filesize

    5B

    MD5

    b66e20886f9675fe4dbf430ea2d0bf8d

    SHA1

    2e676da72201e6e4482e00b300511900c6aee5a0

    SHA256

    899a421c56c18058cbdd16dd7fb313a57d36c1189ca0f442070ed01d17241414

    SHA512

    f431616522f775de27ccde420f0de6f8b3477fbe97cfd8001864b8289a570916a6dd32c84fcf8af6083d8c1b47c61aa5c73ed1e7cc75213d3f24bd94a93cb870

    Download Submit

  • memory/2368-15-0x0000000074AD0000-0x0000000075081000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2368-29-0x0000000074AD0000-0x0000000075081000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2368-66-0x0000000074AD0000-0x0000000075081000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2368-14-0x0000000074AD0000-0x0000000075081000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4840-0-0x0000000074AD2000-0x0000000074AD3000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4840-13-0x0000000074AD0000-0x0000000075081000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4840-2-0x0000000074AD0000-0x0000000075081000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4840-1-0x0000000074AD0000-0x0000000075081000-memory.dmp

    Filesize

    5.7MB

    Download